Fix parsing issue involving effective dates

Cory Duplantis reported that "A specially crafted journal file can cause [an] integer underflow resulting in code execution". Cory provided this test case: Expenses:Food:Groceries $ 37.50 ; ] [=2004/01/01] Note the ] that comes before [ after the ;. This issue was reported and described in great detail by Cory Duplantis of Cisco Talos. This issue is known as TALOS-2017-0303 and has been assigned CVE-2017-2807. Cory's description can be found at https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303 Fixes #1722
author: Martin Michlmayr <tbm@cyrius.com> 2019-01-15 20:55:53 -0300
committer: Martin Michlmayr <tbm@cyrius.com> 2019-01-15 21:02:20 -0300
commit: 5682f377aed5b0db6b6c4a44b1d8868103b7e9f7 (patch)
tree: 86b6cb7ce492e822d50b19d1a9c0281ee148e59c /doc
parent: bec7d3e82c52fd331d73bc9b2006e0ec86a23af9 (diff)
download: fork-ledger-5682f377aed5b0db6b6c4a44b1d8868103b7e9f7.tar.gz
fork-ledger-5682f377aed5b0db6b6c4a44b1d8868103b7e9f7.tar.bz2
fork-ledger-5682f377aed5b0db6b6c4a44b1d8868103b7e9f7.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/doc/NEWS b/doc/NEWS
index c22461ab..80617b08 100644
--- a/doc/NEWS
+++ b/doc/NEWS
@@ -42,6 +42,9 @@
 
 - Do not parse user-specified init-file twice
 
+- Fix parsing issue of effective dates (bug #1722, TALOS-2017-0303,
+  CVE-2017-2807)
+
 - Python: Removed double quotes from Unicode values.
 
 - Python: Ensure that parse errors produce useful RuntimeErrors
author	Martin Michlmayr <tbm@cyrius.com>	2019-01-15 20:55:53 -0300
committer	Martin Michlmayr <tbm@cyrius.com>	2019-01-15 21:02:20 -0300
commit	5682f377aed5b0db6b6c4a44b1d8868103b7e9f7 (patch)
tree	86b6cb7ce492e822d50b19d1a9c0281ee148e59c /doc
parent	bec7d3e82c52fd331d73bc9b2006e0ec86a23af9 (diff)
download	fork-ledger-5682f377aed5b0db6b6c4a44b1d8868103b7e9f7.tar.gz fork-ledger-5682f377aed5b0db6b6c4a44b1d8868103b7e9f7.tar.bz2 fork-ledger-5682f377aed5b0db6b6c4a44b1d8868103b7e9f7.zip