Candidate: CVE-2017-2807
PublicDate: 2017-09-05 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2807
 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303
 https://github.com/ledger/ledger/commit/5682f377aed5b0db6b6c4a44b1d8868103b7e9f7
Description:
 An exploitable buffer overflow vulnerability exists in the tag parsing
 functionality of Ledger-CLI 3.1.1. A specially crafted journal file can
 cause an integer underflow resulting in code execution. An attacker can
 construct a malicious journal file to trigger this vulnerability.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_ledger:
upstream_ledger: needs-triage
precise/esm_ledger: DNE
trusty_ledger: not-affected
trusty/esm_ledger: DNE (trusty was not-affected)
vivid/ubuntu-core_ledger: DNE
xenial_ledger: ignored (end of standard support, was needed)
zesty_ledger: ignored (reached end-of-life)
artful_ledger: ignored (reached end-of-life)
bionic_ledger: needed
cosmic_ledger: ignored (reached end-of-life)
disco_ledger: released (3.1.2+dfsg1-1)
eoan_ledger: released (3.1.2+dfsg1-1)
focal_ledger: released (3.1.2+dfsg1-1)
groovy_ledger: released (3.1.2+dfsg1-1)
hirsute_ledger: released (3.1.2+dfsg1-1)
impish_ledger: released (3.1.2+dfsg1-1)
jammy_ledger: released (3.1.2+dfsg1-1)
devel_ledger: released (3.1.2+dfsg1-1)