diff options
| author | swills <swills@FreeBSD.org> | 2017-09-26 21:20:00 +0800 |
|---|---|---|
| committer | swills <swills@FreeBSD.org> | 2017-09-26 21:20:00 +0800 |
| commit | f24b2bfe12a6be8ba8bbf7cf7f39edd5cc37be71 (patch) | |
| tree | 81e3574af74bb908b1b8461b8182b4e6d05230c0 /security/vuxml/vuln.xml | |
| parent | 63cec8048c11821d61dadf2bdba49aee1bf170db (diff) | |
| download | freebsd-ports-gnome-f24b2bfe12a6be8ba8bbf7cf7f39edd5cc37be71.tar.gz freebsd-ports-gnome-f24b2bfe12a6be8ba8bbf7cf7f39edd5cc37be71.tar.zst freebsd-ports-gnome-f24b2bfe12a6be8ba8bbf7cf7f39edd5cc37be71.zip | |
Document ledger vulnerabilities
Diffstat (limited to 'security/vuxml/vuln.xml')
| -rw-r--r-- | security/vuxml/vuln.xml | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index f6d51224106a..5157eed7ea04 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,37 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="d843a984-7f22-484f-ba81-483ddbe30dc3"> + <topic>ledger -- multiple vulnerabilities</topic> + <affects> + <package> + <name>ledger</name> + <range><le>3.1.1</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Talos reports:</p> + <blockquote cite="http://www.securityfocus.com/bid/100543"> + <p>An exploitable buffer overflow vulnerability exists in the tag parsing functionality of Ledger-CLI 3.1.1. A specially crafted journal file can cause an integer underflow resulting in code execution. An attacker can construct a malicious journal file to trigger this vulnerability.</p> + <p>An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.securityfocus.com/bid/100543</url> + <url>https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303</url> + <url>http://www.securityfocus.com/bid/100546</url> + <url>https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0304</url> + <cvename>CVE-2017-2808</cvename> + <cvename>CVE-2017-2807</cvename> + </references> + <dates> + <discovery>2017-9-5</discovery> + <entry>2017-9-26</entry> + </dates> + </vuln> + <vuln vid="7801b1e1-99b4-42ac-ab22-7646235e7c16"> <topic>aacplusenc -- denial of service</topic> <affects> |