Security update for ledger SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1779-1 Final 1 1 2019-07-21T05:39:40Z current 2019-07-21T05:39:40Z 2019-07-21T05:39:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ledger This update for ledger fixes the following issues: ledger was updated to 3.1.3: + Properly reject postings with a comment right after the flag (bug #1753) + Make sorting order of lot information deterministic (bug #1747) + Fix bug in tag value parsing (bug #1702) + Remove the org command, which was always a hack to begin with (bug #1706) + Provide Docker information in README + Various small documentation improvements This also includes the update to 3.1.2: + Increase maximum length for regex from 255 to 4095 (bug #981) + Initialize periods from from/since clause rather than earliest transaction date (bug #1159) + Check balance assertions against the amount after the posting (bug #1147) + Allow balance assertions with multiple posts to same account (bug #1187) + Fix period duration of 'every X days' and similar statements (bug #370) + Make option --force-color not require --color anymore (bug #1109) + Add quoted_rfc4180 to allow CVS output with RFC 4180 compliant quoting. + Add support for --prepend-format in accounts command + Fix handling of edge cases in trim function (bug #520) + Fix auto xact posts not getting applied to account total during journal parse (bug #552) + Transfer null_post flags to generated postings + Fix segfault when using --market with --group-by + Use amount_width variable for budget report + Keep pending items in budgets until the last day they apply + Fix bug where .total used in value expressions breaks totals + Make automated transactions work with assertions (bug #1127) + Improve parsing of date tokens (bug #1626) + Don't attempt to invert a value if it's already zero (bug #1703) + Do not parse user-specified init-file twice + Fix parsing issue of effective dates (bug #1722, TALOS-2017-0303, CVE-2017-2807) + Fix use-after-free issue with deferred postings (bug #1723, TALOS-2017-0304, CVE-2017-2808) + Fix possible stack overflow in option parsing routine (bug #1222, CVE-2017-12481) + Fix possible stack overflow in date parsing routine (bug #1224, CVE-2017-12482) + Fix use-after-free when using --gain (bug #541) + Python: Removed double quotes from Unicode values. + Python: Ensure that parse errors produce useful RuntimeErrors + Python: Expose journal expand_aliases + Python: Expose journal_t::register_account + Improve bash completion + Emacs Lisp files have been moved to https://github.com/ledger/ledger-mode + Various documentation improvements The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1779 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00031.html E-Mail link for openSUSE-SU-2019:1779-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1052478 SUSE Bug 1052478 https://bugzilla.suse.com/1052484 SUSE Bug 1052484 https://bugzilla.suse.com/1105084 SUSE Bug 1105084 https://www.suse.com/security/cve/CVE-2017-12481/ SUSE CVE CVE-2017-12481 page https://www.suse.com/security/cve/CVE-2017-12482/ SUSE CVE CVE-2017-12482 page https://www.suse.com/security/cve/CVE-2017-2807/ SUSE CVE CVE-2017-2807 page https://www.suse.com/security/cve/CVE-2017-2808/ SUSE CVE CVE-2017-2808 page openSUSE Leap 15.0 openSUSE Leap 15.1 ledger-3.1.3-lp151.3.3.1 ledger-3.1.3-lp151.3.3.1 as a component of openSUSE Leap 15.0 ledger-3.1.3-lp151.3.3.1 as a component of openSUSE Leap 15.1 The find_option function in option.cc in Ledger 3.1.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. CVE-2017-12481 openSUSE Leap 15.0:ledger-3.1.3-lp151.3.3.1 openSUSE Leap 15.1:ledger-3.1.3-lp151.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00031.html https://www.suse.com/security/cve/CVE-2017-12481.html CVE-2017-12481 https://bugzilla.suse.com/1052484 SUSE Bug 1052484 The ledger::parse_date_mask_routine function in times.cc in Ledger 3.1.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. CVE-2017-12482 openSUSE Leap 15.0:ledger-3.1.3-lp151.3.3.1 openSUSE Leap 15.1:ledger-3.1.3-lp151.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00031.html https://www.suse.com/security/cve/CVE-2017-12482.html CVE-2017-12482 https://bugzilla.suse.com/1052478 SUSE Bug 1052478 https://bugzilla.suse.com/1052484 SUSE Bug 1052484 An exploitable buffer overflow vulnerability exists in the tag parsing functionality of Ledger-CLI 3.1.1. A specially crafted journal file can cause an integer underflow resulting in code execution. An attacker can construct a malicious journal file to trigger this vulnerability. CVE-2017-2807 openSUSE Leap 15.0:ledger-3.1.3-lp151.3.3.1 openSUSE Leap 15.1:ledger-3.1.3-lp151.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00031.html https://www.suse.com/security/cve/CVE-2017-2807.html CVE-2017-2807 https://bugzilla.suse.com/1052484 SUSE Bug 1052484 An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger this vulnerability. CVE-2017-2808 openSUSE Leap 15.0:ledger-3.1.3-lp151.3.3.1 openSUSE Leap 15.1:ledger-3.1.3-lp151.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00031.html https://www.suse.com/security/cve/CVE-2017-2808.html CVE-2017-2808 https://bugzilla.suse.com/1052484 SUSE Bug 1052484