Re: FreeXL 1.0.2 - multiplication overflow on 32 bit platforms

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, Debian GIS Project <debian-gis@lists.debian.org>
Subject: Re: FreeXL 1.0.2 - multiplication overflow on 32 bit platforms
From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
Date: Sun, 19 Jul 2015 13:50:47 +0200
Message-id: <[🔎] 55AB8F17.6070606@xs4all.nl>
In-reply-to: <[🔎] 20150719113837.GA31476@pisco.westfalen.local>
References: <[🔎] 55A6C40D.5060800@xs4all.nl> <[🔎] 20150719100439.GA28132@pisco.westfalen.local> <[🔎] 55AB7F21.7040604@xs4all.nl> <[🔎] 20150719113837.GA31476@pisco.westfalen.local>

On 07/19/2015 01:38 PM, Moritz Mühlenhoff wrote:
> On Sun, Jul 19, 2015 at 12:42:41PM +0200, Sebastiaan Couwenberg wrote:
>> On 07/19/2015 12:04 PM, Moritz Mühlenhoff wrote:
>>> On Wed, Jul 15, 2015 at 10:35:25PM +0200, Sebastiaan Couwenberg wrote:
>>>> Dear Security Team,
>>>>
>>>> FreeXL 1.0.2 was released yesterday, it fixes a recently discovered
>>>> security issue. To quote the release announcement:
>>>>
>>>> "
>>>>  RedHat maintainers recently discovered a potential security breach
>>>>  caused by the current version of FreeXL.
>>>>
>>>>  This issue is not very like to happen under ordinary conditions, anyway
>>>>  a purposely forged XLS document could effectively cause a
>>>>  multiplication overflow on 32 bit platforms, and this in turn will
>>>>  subsequently cause a dangerous crash due to an incorrectly sized
>>>>  memory allocation.
>>>>  freexl-1.0.2 definitely fixes the issue.
>>>> "
>>>>
>>>> https://groups.google.com/d/msg/spatialite-users/UZ7ivR6ASV0/K_8bjP1or_IJ
>>>>
>>>> I've uploaded freexl (1.0.2-1) to unstable today, and I've backported
>>>> the fix to freexl (1.0.0g-1+deb8u2) and freexl (1.0.0b-1+deb7u2) for
>>>> jessie & wheezy respectively. The changes are available in git:
>>>>
>>>> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
>>>> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy
>>>>
>>>> Are these OK to upload?
>>>
>>> Yes, please upload to security-master. Since there have been freexl DSAs
>>> for wheezy and jessie before, they don't need to built with "-sa" this
>>> time.
>>
>> Thanks, uploaded.
> 
> Sorry, I was confused by the version number for jessie, while named
> 1.0.0g-1+deb8u1 it was actually uploaded to unstable before the freeze.
> As a consequence dak rejected the upload, it does need to be rebuild with
> "-sa", sorry for the mixup.

Thanks for the notice, I've uploaded a new build with -sa.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Reply to:

References:
- FreeXL 1.0.2 - multiplication overflow on 32 bit platforms
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
- Re: FreeXL 1.0.2 - multiplication overflow on 32 bit platforms
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: FreeXL 1.0.2 - multiplication overflow on 32 bit platforms
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
- Re: FreeXL 1.0.2 - multiplication overflow on 32 bit platforms
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: FreeXL 1.0.2 - multiplication overflow on 32 bit platforms
Next by Date: Re: PostGIS 2.1.8
Previous by thread: Re: FreeXL 1.0.2 - multiplication overflow on 32 bit platforms
Next by thread: GMT: strange compilation problem on trusty
Index(es):
- Date
- Thread