Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Dear release team,
Upstream has fixed CVE-2019-9656, this CVE is non-dsa. I already
backported patches to unstable (#924350) and now I would like to fix
the Buster version. Please find attached a debdiff.
Best,
Dylan
diff -Nru libofx-0.9.14/debian/changelog libofx-0.9.14/debian/changelog
--- libofx-0.9.14/debian/changelog 2019-02-13 07:51:24.0 +0100
+++ libofx-0.9.14/debian/changelog 2019-10-23 08:04:35.0 +0200
@@ -1,3 +1,9 @@
+libofx (1:0.9.14-1+deb10u1) buster; urgency=medium
+
+ * Add upstream patch to fix CVE-2019-9656 (Closes: #924350).
+
+ -- Dylan Aïssi Wed, 23 Oct 2019 08:04:35 +0200
+
libofx (1:0.9.14-1) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru libofx-0.9.14/debian/patches/CVE-2019-9656.patch libofx-0.9.14/debian/patches/CVE-2019-9656.patch
--- libofx-0.9.14/debian/patches/CVE-2019-9656.patch 1970-01-01 01:00:00.0 +0100
+++ libofx-0.9.14/debian/patches/CVE-2019-9656.patch 2019-10-23 08:04:35.0 +0200
@@ -0,0 +1,17 @@
+Author: Christian Stimming
+Description: Fix CVE-2019-9656.
+Origin: upstream, https://github.com/libofx/libofx/commit/15d0511253
+Bug: https://github.com/libofx/libofx/issues/22
+Bug-Debian: https://bugs.debian.org/924350
+
+--- a/lib/ofx_sgml.cpp
b/lib/ofx_sgml.cpp
+@@ -126,7 +126,7 @@
+ {
+ message_out (PARSER, "Element " + identifier + " found");
+ //BANKTRANLIST ignored, we will process it's attributes directly inside the STATEMENT,
+-if (curr_container_element->type != "STATEMENT")
++if (curr_container_element && curr_container_element->type != "STATEMENT")
+ {
+ message_out(ERROR, "Element " + identifier + " found while not inside a STATEMENT container");
+ }
diff -Nru libofx-0.9.14/debian/patches/series libofx-0.9.14/debian/patches/series
--- libofx-0.9.14/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ libofx-0.9.14/debian/patches/series 2019-10-23 08:04:35.0 +0200
@@ -0,0 +1 @@
+CVE-2019-9656.patch
