Subject: [ASA-201805-19] libofx: denial of service

Arch Linux Security Advisory ASA-201805-19
==========================================

Severity: Medium
Date    : 2018-05-20
CVE-ID  : CVE-2017-14731
Package : libofx
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-536

Summary
=======

The package libofx before version 0.9.13-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 0.9.13-1.

# pacman -Syu "libofx>=0.9.13-1"

The problem has been fixed upstream in version 0.9.13.

Workaround
==========

None.

Description
===========

ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted file, as demonstrated by an ofxdump
call.

Impact
======

A remote attacker is able to cause a denial of service via a specially
crafted file.

References
==========

https://bugs.archlinux.org/task/56544
https://github.com/libofx/libofx/issues/10
https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd
https://security.archlinux.org/CVE-2017-14731