Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release team, Upstream has fixed CVE-2019-9656, this CVE is non-dsa. I already backported patches to unstable (#924350) and now I would like to fix the Buster version. Please find attached a debdiff. Best, Dylan
diff -Nru libofx-0.9.14/debian/changelog libofx-0.9.14/debian/changelog --- libofx-0.9.14/debian/changelog 2019-02-13 07:51:24.000000000 +0100 +++ libofx-0.9.14/debian/changelog 2019-10-23 08:04:35.000000000 +0200 @@ -1,3 +1,9 @@ +libofx (1:0.9.14-1+deb10u1) buster; urgency=medium + + * Add upstream patch to fix CVE-2019-9656 (Closes: #924350). + + -- Dylan Aïssi <dai...@debian.org> Wed, 23 Oct 2019 08:04:35 +0200 + libofx (1:0.9.14-1) unstable; urgency=medium [ Ondřej Nový ] diff -Nru libofx-0.9.14/debian/patches/CVE-2019-9656.patch libofx-0.9.14/debian/patches/CVE-2019-9656.patch --- libofx-0.9.14/debian/patches/CVE-2019-9656.patch 1970-01-01 01:00:00.000000000 +0100 +++ libofx-0.9.14/debian/patches/CVE-2019-9656.patch 2019-10-23 08:04:35.000000000 +0200 @@ -0,0 +1,17 @@ +Author: Christian Stimming +Description: Fix CVE-2019-9656. +Origin: upstream, https://github.com/libofx/libofx/commit/15d0511253 +Bug: https://github.com/libofx/libofx/issues/22 +Bug-Debian: https://bugs.debian.org/924350 + +--- a/lib/ofx_sgml.cpp ++++ b/lib/ofx_sgml.cpp +@@ -126,7 +126,7 @@ + { + message_out (PARSER, "Element " + identifier + " found"); + //BANKTRANLIST ignored, we will process it's attributes directly inside the STATEMENT, +- if (curr_container_element->type != "STATEMENT") ++ if (curr_container_element && curr_container_element->type != "STATEMENT") + { + message_out(ERROR, "Element " + identifier + " found while not inside a STATEMENT container"); + } diff -Nru libofx-0.9.14/debian/patches/series libofx-0.9.14/debian/patches/series --- libofx-0.9.14/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libofx-0.9.14/debian/patches/series 2019-10-23 08:04:35.000000000 +0200 @@ -0,0 +1 @@ +CVE-2019-9656.patch