ArchLinux: 201805-19: libofx: denial of service
Summary
ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file, as demonstrated by an ofxdump call.
Resolution
Upgrade to 0.9.13-1.
# pacman -Syu "libofx>=0.9.13-1"
The problem has been fixed upstream in version 0.9.13.
References
https://bugs.archlinux.org/task/56544 https://github.com/libofx/libofx/issues/10 https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd https://security.archlinux.org/CVE-2017-14731
Workaround
None.