Hello community, here is the log from the commit of package libofx for openSUSE:Factory checked in at 2018-04-05 15:32:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libofx (Old) and /work/SRC/openSUSE:Factory/.libofx.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libofx" Thu Apr 5 15:32:32 2018 rev:33 rq:593415 version:0.9.12 Changes: -------- --- /work/SRC/openSUSE:Factory/libofx/libofx.changes 2016-03-07 13:27:20.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libofx.new/libofx.changes 2018-04-05 15:32:42.281848959 +0200 @@ -1,0 +2,16 @@ +Thu Mar 22 13:25:26 UTC 2018 - dimstar@opensuse.org + +- Update to version 0.9.12: + + Fixing a buffer overflow (CVE-2017-2816). +- Add libofx-CVE-2017-14731.patch: Fix a buffer overflow on + unexpected tag names (CVE-2017-14731, boo#1060437). + +------------------------------------------------------------------- +Wed Sep 14 14:21:49 UTC 2016 - fcrozat@suse.com + +- Update to version 0.9.11: + + Add support for client uid, from kde#366326 bug. +- Rename libofx6 subpackage to libofx7, following the soname bump. +- Delete backup files that should not be in the tarball. + +------------------------------------------------------------------- Old: ---- libofx-0.9.10.tar.gz New: ---- libofx-0.9.12.tar.gz libofx-CVE-2017-14731.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libofx.spec ++++++ --- /var/tmp/diff_new_pack.LnLNFn/_old 2018-04-05 15:32:43.225814841 +0200 +++ /var/tmp/diff_new_pack.LnLNFn/_new 2018-04-05 15:32:43.229814697 +0200 @@ -1,7 +1,7 @@ # # spec file for package libofx # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,13 +17,15 @@ Name: libofx -Version: 0.9.10 +Version: 0.9.12 Release: 0 Summary: OFX Command Parser and API -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Development/Libraries/Other -Url: http://libofx.sourceforge.net/ -Source: http://downloads.sourceforge.net/project/libofx/libofx/0.9.10/%{name}-%{version}.tar.gz +URL: http://libofx.sourceforge.net/ +Source: http://downloads.sourceforge.net/project/libofx/libofx/%{name}-%{version}.tar.gz +# PATCH-FIX-UPSTREAM libofx-CVE-2017-14731.patch dimstar@opensuse.org -- Fix a buffer overflow +Patch0: libofx-CVE-2017-14731.patch BuildRequires: curl-devel BuildRequires: doxygen BuildRequires: fdupes @@ -32,7 +34,6 @@ BuildRequires: opensp-devel BuildRequires: pkgconfig BuildRequires: pkgconfig(libxml++-2.6) >= 2.6 -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description LibOFX is a parser and API designed to allow applications to support @@ -44,12 +45,12 @@ It has since evolved into a generic library, so all OpenSource Financial software can benefit from it." -%package -n libofx6 +%package -n libofx7 Summary: OFX Command Parser and API Group: Development/Libraries/Other Requires: %{name} >= %{version} -%description -n libofx6 +%description -n libofx7 LibOFX is a parser and API designed to allow applications to support OFX command responses, usually provided by financial institutions for statement downloads. The author says, "To my knowledge, it is the first @@ -77,6 +78,7 @@ %prep %setup -q +%patch0 -p1 chmod -x doc/ofx_sample_files/ofx_spec160_stmtrs_example.sgml %build @@ -90,12 +92,12 @@ rm %{buildroot}%{_defaultdocdir}/%{name}/INSTALL cp -a doc/ofx_sample_files/*.* %{buildroot}%{_defaultdocdir}/%{name}/ cp -a doc/html %{buildroot}%{_defaultdocdir}/%{name}/ -%fdupes %{buildroot} +%fdupes %{buildroot}%{_prefix} rm -f %{buildroot}%{_libdir}/*.la -%post -n libofx6 -p /sbin/ldconfig +%post -n libofx7 -p /sbin/ldconfig -%postun -n libofx6 -p /sbin/ldconfig +%postun -n libofx7 -p /sbin/ldconfig %files %defattr(-,root,root) @@ -106,7 +108,7 @@ %{_datadir}/libofx/ %{_mandir}/man1/*.1%{?ext_man} -%files -n libofx6 +%files -n libofx7 %defattr (-, root, root) %{_libdir}/*.so.* @@ -119,7 +121,4 @@ %{_includedir}/libofx/ %{_libdir}/pkgconfig/libofx.pc -%clean -rm -rf %{buildroot} - %changelog ++++++ libofx-0.9.10.tar.gz -> libofx-0.9.12.tar.gz ++++++ ++++ 52247 lines of diff (skipped) ++++++ libofx-CVE-2017-14731.patch ++++++
From fad8418f34094de42e1307113598e0e8bee0a2bd Mon Sep 17 00:00:00 2001 From: Christian Stimming
Date: Sat, 28 Oct 2017 17:43:35 +0200 Subject: [PATCH] Fix potential heap overflow as asked by issue#10
https://github.com/libofx/libofx/issues/10 --- lib/ofx_preproc.cpp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/ofx_preproc.cpp b/lib/ofx_preproc.cpp index f07f274..4dbe0aa 100644 --- a/lib/ofx_preproc.cpp +++ b/lib/ofx_preproc.cpp @@ -88,7 +88,6 @@ int ofx_proc_file(LibofxContextPtr ctx, const char * p_filename) ifstream input_file; ofstream tmp_file; char buffer[READ_BUFFER_SIZE]; - char *iconv_buffer; string s_buffer; char *filenames[3]; char tmp_filename[256]; @@ -306,9 +305,9 @@ int ofx_proc_file(LibofxContextPtr ctx, const char * p_filename) if (file_is_xml == false) { #ifdef HAVE_ICONV - size_t inbytesleft = strlen(s_buffer.c_str()); + size_t inbytesleft = s_buffer.size(); size_t outbytesleft = inbytesleft * 2 - 1; - iconv_buffer = (char*) malloc (inbytesleft * 2); + char * iconv_buffer = (char*) malloc (inbytesleft * 2); memset(iconv_buffer, 0, inbytesleft * 2); #if defined(OS_WIN32) || defined(__sun) || defined(__NetBSD__) const char * inchar = (const char *)s_buffer.c_str(); @@ -321,9 +320,11 @@ int ofx_proc_file(LibofxContextPtr ctx, const char * p_filename) &outchar, &outbytesleft); if (iconv_retval == -1) { - message_out(ERROR, "ofx_proc_file(): Conversion error"); + message_out(ERROR, "ofx_proc_file(): Iconv conversion error"); } - s_buffer = iconv_buffer; + // All validly converted bytes will be copied to the + // original buffer + s_buffer = std::string(iconv_buffer, outchar - iconv_buffer); free (iconv_buffer); #endif }