Bug#943766: buster-pu: package libofx/1:0.9.14-1+deb10u1

Tue, 29 Oct 2019 07:25:00 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,
Upstream has fixed CVE-2019-9656, this CVE is non-dsa. I already
backported patches to unstable (#924350) and now I would like to fix
the Buster version. Please find attached a debdiff.

Best,
Dylan

diff -Nru libofx-0.9.14/debian/changelog libofx-0.9.14/debian/changelog
--- libofx-0.9.14/debian/changelog	2019-02-13 07:51:24.000000000 +0100
+++ libofx-0.9.14/debian/changelog	2019-10-23 08:04:35.000000000 +0200
@@ -1,3 +1,9 @@
+libofx (1:0.9.14-1+deb10u1) buster; urgency=medium
+
+  * Add upstream patch to fix CVE-2019-9656 (Closes: #924350).
+
+ -- Dylan Aïssi <dai...@debian.org>  Wed, 23 Oct 2019 08:04:35 +0200
+
 libofx (1:0.9.14-1) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru libofx-0.9.14/debian/patches/CVE-2019-9656.patch libofx-0.9.14/debian/patches/CVE-2019-9656.patch
--- libofx-0.9.14/debian/patches/CVE-2019-9656.patch	1970-01-01 01:00:00.000000000 +0100
+++ libofx-0.9.14/debian/patches/CVE-2019-9656.patch	2019-10-23 08:04:35.000000000 +0200
@@ -0,0 +1,17 @@
+Author: Christian Stimming
+Description: Fix CVE-2019-9656.
+Origin: upstream, https://github.com/libofx/libofx/commit/15d0511253
+Bug: https://github.com/libofx/libofx/issues/22
+Bug-Debian: https://bugs.debian.org/924350
+
+--- a/lib/ofx_sgml.cpp
++++ b/lib/ofx_sgml.cpp
+@@ -126,7 +126,7 @@
+       {
+         message_out (PARSER, "Element " + identifier + " found");
+         //BANKTRANLIST ignored, we will process it's attributes directly inside the STATEMENT,
+-        if (curr_container_element->type != "STATEMENT")
++        if (curr_container_element && curr_container_element->type != "STATEMENT")
+         {
+           message_out(ERROR, "Element " + identifier + " found while not inside a STATEMENT container");
+         }
diff -Nru libofx-0.9.14/debian/patches/series libofx-0.9.14/debian/patches/series
--- libofx-0.9.14/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libofx-0.9.14/debian/patches/series	2019-10-23 08:04:35.000000000 +0200
@@ -0,0 +1 @@
+CVE-2019-9656.patch

Reply via email to