Candidate: CVE-2017-2808
PublicDate: 2017-09-05 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2808
 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0304
 https://github.com/ledger/ledger/commit/f3bad93db256db07b6cb831d4d24f47543f57e4a
Description:
 An exploitable use-after-free vulnerability exists in the account parsing
 component of the Ledger-CLI 3.1.1. A specially crafted ledger file can
 cause a use-after-free vulnerability resulting in arbitrary code execution.
 An attacker can convince a user to load a journal file to trigger this
 vulnerability.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Cory Duplantis
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_ledger:
upstream_ledger: needs-triage
precise/esm_ledger: DNE
trusty_ledger: not-affected
trusty/esm_ledger: DNE (trusty was not-affected)
vivid/ubuntu-core_ledger: DNE
xenial_ledger: ignored (end of standard support, was needed)
zesty_ledger: ignored (reached end-of-life)
artful_ledger: ignored (reached end-of-life)
bionic_ledger: needed
cosmic_ledger: ignored (reached end-of-life)
disco_ledger: released (3.1.2+dfsg1-1)
eoan_ledger: released (3.1.2+dfsg1-1)
focal_ledger: released (3.1.2+dfsg1-1)
groovy_ledger: released (3.1.2+dfsg1-1)
hirsute_ledger: released (3.1.2+dfsg1-1)
impish_ledger: released (3.1.2+dfsg1-1)
jammy_ledger: released (3.1.2+dfsg1-1)
devel_ledger: released (3.1.2+dfsg1-1)