Dear Security & LTS Teams,
FreeXL 1.0.5 was released yesterday, it fixes various heap-buffer-overflows:
- heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547879
- heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
https://bugzilla.redhat.com/show_bug.cgi?id=1547883
- heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547885
- heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547889
- heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547892
>From the release announcement:
"
Few more vulnerabilities affecting FreeXL have been recently
discovered; for more details please check Red Hat Bugzilla
Bug 1547879
all reported vulnerabilities are never expected to be encountered
when reading valid XLS files, and can only affect purposely crafted
files intended to maliciously trigger some nasty security breach.
the new patched version (FreeXL-1.0.5) sanes any known security
issue.
[1] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.tar.gz
[2] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.zip
developers and system packagers are warmly invited to quickly
adopt FreeXL-1.0.5
note
a new error code (FREEXL_CRAFTED_FILE) has been added to FreeXL,
and it will be returned when a supposed XLS document contains
"impossible values" (not compatible with the XLS specifications),
thus leading to a legitimate suspect of a purposely crafted file.
"
https://groups.google.com/d/topic/spatialite-users/ddE78iVT5b4/discussion
I've uploaded freexl (1.0.5-1) to unstable yesterday, and I've
backported the fix to freexl (1.0.2-2+deb9u2), freexl (1.0.0g-1+deb8u5)
& freexl (1.0.0b-1+deb7u5) for stretch, jessie & wheezy respectively.
The changes are available in git:
http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch
http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy
Are these OK to upload?
Kind Regards,
Bas
diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog
--- freexl-1.0.0b/debian/changelog 2017-09-16 23:26:04.0 +0200
+++ freexl-1.0.0b/debian/changelog 2018-02-23 11:04:45.0 +0100
@@ -1,3 +1,21 @@
+freexl (1.0.0b-1+deb7u5) wheezy-security; urgency=high
+
+ * Add upstream patch to fix various heap-buffer-overflows.
+- heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+- heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+- heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+- heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
+ 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+- heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
+ FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+
+ -- Bas Couwenberg Fri, 23 Feb 2018 11:04:45 +0100
+
freexl (1.0.0b-1+deb7u4) wheezy-security; urgency=high
* Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
diff -Nru freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch
freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch
--- freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch 1970-01-01
01:00:00.0 +0100
+++ freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch 2018-02-23
11:04:45.0 +0100
@@ -0,0 +1,122 @@
+Description: Security fixes from FreeXL 1.0.5.
+ heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ .
+ heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ .
+ heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ .
+ heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ .
+ heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL
1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+ .
+ Reported upstream in:
+ https://groups.google.com/d/topic/spatialite-users/b-d9iB5TDPE/discussion
+Author: Alessandro Furieri
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/1f00f424a24b355e?sbs=0
+https://www.gaia-gis.it/fossil/freexl/ci/97c9f43cea4fcd54?sbs=0
+https://www.gaia-gis.it/fossil/freexl/ci/9907dcec7fc34a91?sbs=0
+
+--- a/headers/freexl.h
b/headers/freexl.h
+@@ -292,6 +292,11 @@ extern "C"
+ #define FREEXL_CFBF_ILLEGAL_MINI_FAT_ENTRY-25 /**<