Created attachment 372926 [details] strfmon.c from FreeBSD 11.2 The file borrowed/libc/strfmon.c has a known integer overflow vulnerability (CVE-2008-1391), as documented in, for example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1391 https://securitytracker.com/id/1019722 https://www.exploit-db.com/exploits/31550/ This file, strfmon.c, was originally taken from FreeBSD. Any version of FreeBSD after 2011 has a fix included. The version of strfmon.c in Gnucash should be updated to this latest version (included as an attachment), although the changed header includes mean some small work will need to be done to integrate it as a patch. This bug is present not only in the current git HEAD, as well as released 3.x versions, but also in at least Gnucash 2.6.19 as distributed by Debian and Ubuntu.
Thank you for your report. As we only use strfmon in one specific code spot, I took this as an opportunity to drop our dependency on it completely. The functionality it provided is now implemented via stdlibc++ (c++11) standard conversion functions. The new implementation will be part of gnucash 3.3. If someone would want to backport this to earlier releases in the 3.x series, the relevant two commits are https://github.com/Gnucash/gnucash/commit/34cb4925a4be639e8d3e211ce2020d2190d5a41d https://github.com/Gnucash/gnucash/commit/54a5097c60496d005f497b2315f063734d8bcd9f
