https://linuxsecurity.com/advisories/deblts/debian-lts-dla-2001-1-libofx-security-update-05-22-13
Actual links: https://www.debian.org/lts/security/2019/dla-2001 https://lists.debian.org/debian-lts-announce/2019/11/msg00021.html https://security-tracker.debian.org/tracker/CVE-2019-9656 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924350 Fixed upstream in 0.9.15.
QA Contact: (none) => securitySource RPM: libofx => libofx-0.9.14-1.mga7.src.rpmSummary: libofx security update CVE-2019-9656 => libofx new security issue CVE-2019-9656Component: RPM Packages => SecurityAssignee: bugsquad => lists.jjorge
Pushed to testing. It can be tested importing an OFX file with Gnucash or Kmymoney. As no ABI was changed, they do not need a rebuild against the updated lib. Suggested Advisory: A security bug was found in OFX library, upstream version 0.9.15 was released to fix it. Ref: https://github.com/libofx/libofx/issues/22 SRPM: libofx-0.9.15-1.mga7.srpm RPMS: libofx-0.9.15-1.mga7.i586.rpm libofx7-0.9.15-1.mga7.i586.rpm libofx-devel-0.9.15-1.mga7.i586.rpm
CC: (none) => lists.jjorgeAssignee: lists.jjorge => qa-bugs
CC: (none) => herman.viaene
Advisory: ======================== Updated libofx packages fix security vulnerability: There is a NULL pointer dereference in the function OFXApplication::startElement in the file lib/ofx_sgml.cpp, as demonstrated by ofxdump (CVE-2019-9656). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9656 https://www.debian.org/lts/security/2019/dla-2001
MGA7-64 Plasma on Lenovo B50 No installation issues. # urpmq --whatrequires libofx lib64ofx7 lib64ofx7 libofx Tried to test the two commands $ ofx2qif [tester7@mach5 ~]$ ofx2qif --help [tester7@mach5 ~]$ ofx2qif -h does no get me very far $ ofxdump -h ofxdump 0.9.15 ofxdump prints to stdout, in human readable form, everything the library understands about a particular file or response, and sends errors to stderr. To know exactly what the library understands about of a particular ofx response file, just call ofxdump on that file. Usage: ofxdump [OPTIONS]... [FILES]... -h, --help Print help and exit -V, --version Print version and exit -f, --import-format=STRING Force the file format of the file(s) specified (default=`AUTODETECT') --list-import-formats List available import file formats 'import-format' command --msg_parser Output file parsing messages (default=off) --msg_debug Output messages meant for debugging (default=off) --msg_warning Output warning messages about abnormal conditions and unknown constructs (default=on) --msg_error Output error messages (default=on) --msg_info Output informational messages about the progress of the library (default=on) --msg_status Output status messages (default=on) [tester7@mach5 ~]$ ofxdump -V ofxdump 0.9.15 [tester7@mach5 ~]$ ofxdump --list-import-formats The supported file formats for the 'input-file-format' argument are: AUTODETECT (File format will be automatically detected later) OFX (Open Financial eXchange (OFX or QFX)) OFC (Microsoft Open Financial Connectivity) QIF (Intuit Quicken Interchange Format) NOT IMPLEMENTED That's better. Tried gnucash or skrooge to export such files, but not available. Tried a gnucash file anyway. $ ofxdump OKRA.gnucash LibOFX INFO: libofx_proc_file(): File format not specified, autodetecting... LibOFX ERROR: libofx_detect_file_type(): Failed to identify input file format LibOFX INFO: libofx_proc_file(): Detected file format: UNKNOWN (File format couldn't be successfully identified) LibOFX ERROR: libofx_proc_file(): Detected file format not yet supported ou couldn't detect file format; aborting. That could be exoected. Found example ofx file at https://gist.github.com/jvz/2837829 (will attach the file) $ ofxdump exampleofx.ofx LibOFX INFO: libofx_proc_file(): File format not specified, autodetecting... LibOFX INFO: libofx_proc_file(): Detected file format: OFX (Open Financial eXchange (OFX or QFX)) LibOFX STATUS: find_dtd():DTD found: /usr/share/libofx/dtd/opensp.dcl LibOFX STATUS: find_dtd():DTD found: /usr/share/libofx/dtd/ofx160.dtd LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate SIGNONMSGSRQV1 (Above message occurred on Line 2, Column 3) LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate SONRQ (Above message occurred on Line 3, Column 5) LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate FI (Above message occurred on Line 8, Column 7) LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate BANKMSGSRQV1 (Above message occurred on Line 16, Column 3) LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate STMTTRNRQ (Above message occurred on Line 17, Column 5) LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate STMTRQ (Above message occurred on Line 19, Column 7) LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate INCTRAN (Above message occurred on Line 25, Column 9) ofx_proc_account(): Account ID: 987654321 098-121 Account name: Bank account 098-121 Account type: SAVINGS Bank ID: 987654321 Account #: 098-121 As far as I understand this looks OK.
Whiteboard: (none) => MGA7-64-OK
Created attachment 11432 [details] examplee ofx file
Strange: when I try to remove the packages in MCC, I get warnings that this would remove dependent packages from gnucash and skrooge (they are used to import ofx files), but these were not listed by urpmq.
That's because your urpmq command was wrong. You should run it on the library package, not the main package.
CC: (none) => tmbKeywords: (none) => advisory
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0409.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED