[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1060688: marked as done (bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u1)

Your message dated Sat, 10 Feb 2024 13:11:21 +0000
with message-id <E1rYn8b-002ybA-BW@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1060688,
regarding bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1060688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060688
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libspreadsheet-parsexlsx-perl@packages.debian.org
Control: affects -1 + src:libspreadsheet-parsexlsx-perl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libspreadsheet-parsexlsx-perl/0.27-3+deb12u1 to
bookworm.

This upload fixes CVE-2024-22368 (potential memory bomb) by adding a
quilt patch, which is taken from 2 upstream commits that are released
in 0.28 (and are in testing/unstable in 0.29-1 since a week).

https://security-tracker.debian.org/tracker/CVE-2024-22368

Complete debdiff attached.


Thanks in advance,
gregor

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmWhs+VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZ02RAAiWujisM7g1V91tVdZ1N9SKD/n3tdkjpRYRE32OeWMF0su5u8/u0RaWeo
O9bpK8goHQF6gt70K/wqPLNKenj45dH86n01q/rLznd5WvPNtytbK/5btj3nze6q
hRYt5P5a1WG7D8ZKyldYSNX9qMbjvFwTegptdAu0Kq6aAYbECcwVeD0SqzxHPzgL
Q9njmCJSuUVsSVcS5e4xkTNLf1N7Ul1cp46UXbaqe40LgThN9EBLMAg+gZJtS6IM
SzQsfwzaQQmtDyhqcUy/RRBBt7l+F77DvT7UiG1BjjYEM8A4AR9UtOfqGNZWe13C
bXy6ccHzoBx4EvI6RoNFGX2u9RzeiDFlOsCf+3Apqpq/uXQJ4t5cjgI2x0USD/gm
gUwjzrPNzpOyTTK/L2DLs6Y7Yo4vJ7mPo6i5yG+6M+hXpkRyqg0a4EK0VQkbhsci
sEQrJUOOeaAwllLfMoY61P05QB1fpuUOKpNOSS7XqPxgWmyz/lWSyLfYIUiPyHAU
Fx5YBqcYZI292UjH2c3+h0lh2Bj58hV3TzzuzRM5yP2W+7AH0pukjUgwLEhWR25s
Z1rigRFK+Ou46n/HJejDiWn4/OW4veK/mIKYow/WgBnKyL48DyALIu5iEzxTYo7U
1QIPn+ivK5IoR3J34e719SBrSeixcruU6hvNlQJjNgq6msLh5oU=
=YJjE
-----END PGP SIGNATURE-----

diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog libspreadsheet-parsexlsx-perl-0.27/debian/changelog
--- libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2022-11-19 21:22:53.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-12 21:25:50.000000000 +0100
@@ -1,3 +1,11 @@
+libspreadsheet-parsexlsx-perl (0.27-3+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix a possible memory bomb. [CVE-2024-22368]
+    Patch taken from two upstream Git commits contained in the 0.28 release.
+
+ -- gregor herrmann <gregoa@debian.org>  Fri, 12 Jan 2024 21:25:50 +0100
+
 libspreadsheet-parsexlsx-perl (0.27-3) unstable; urgency=medium
 
   [ gregor herrmann ]
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch	1970-01-01 01:00:00.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch	2024-01-12 21:25:50.000000000 +0100
@@ -0,0 +1,111 @@
+Description: Fix memory bomb CVE-2024-22368
+Origin: upstream, commits 39b25b9 and 47ff82d, as released in 0.28
+Reviewed-by: gregor herrmann <gregoa@debian.org>
+Last-Update: 2024-01-12
+
+
+From 39b25b91fcb939a9c8ea807fdc80386c1ae5be0c Mon Sep 17 00:00:00 2001
+From: MichaelDaum <daum@michaeldaumconsulting.com>
+Date: Sun, 31 Dec 2023 11:56:25 +0100
+Subject: [PATCH] fix possible memory bomb
+
+as reported in https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
+---
+ lib/Spreadsheet/ParseXLSX.pm | 43 ++++++++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 14 deletions(-)
+
+
+From 47ff82d74fbd014b8ec3cab80fa4fd25db9e8242 Mon Sep 17 00:00:00 2001
+From: MichaelDaum <daum@michaeldaumconsulting.com>
+Date: Sun, 31 Dec 2023 12:23:19 +0100
+Subject: [PATCH] minor rewrite and perltidy
+
+---
+ lib/Spreadsheet/ParseXLSX.pm | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -176,8 +176,6 @@ sub _parse_sheet {
+     $sheet->{MaxCol} = -1;
+     $sheet->{Selection} = [ 0, 0 ];
+ 
+-    my %merged_cells;
+-
+     my @column_formats;
+     my @column_widths;
+     my @columns_hidden;
+@@ -187,7 +185,6 @@ sub _parse_sheet {
+     my $default_row_height   = 15;
+     my $default_column_width = 10;
+ 
+-    my %cells;
+     my $row_idx = 0;
+ 
+     my $sheet_xml = $self->_new_twig(
+@@ -263,11 +260,6 @@ sub _parse_sheet {
+                         $toprow, $leftcol,
+                         $bottomrow, $rightcol,
+                     ];
+-                    for my $row ($toprow .. $bottomrow) {
+-                        for my $col ($leftcol .. $rightcol) {
+-                            $merged_cells{"$row;$col"} = 1;
+-                        }
+-                    }
+                 }
+ 
+                 $twig->purge;
+@@ -415,7 +407,6 @@ sub _parse_sheet {
+                     $cell->{_Value} = $sheet->{_Book}{FmtClass}->ValFmt(
+                         $cell, $sheet->{_Book}
+                     );
+-                    $cells{"$row;$col"} = $cell;
+                     $sheet->{Cells}[$row][$col] = $cell;
+                     $col_idx++;
+                 }
+@@ -428,11 +419,15 @@ sub _parse_sheet {
+ 
+     $sheet_xml->parse( $sheet_file );
+ 
+-    for my $key (keys %merged_cells) {
+-        $cells{$key}{Merged} = 1 if $cells{$key};
+-    }
+-
+-    if ( ! $sheet->{Cells} ){
++    if ( $sheet->{Cells} ) {
++        for my $r ( 0 .. $#{ $sheet->{Cells} } ) {
++            my $row = $sheet->{Cells}[$r] or next;
++            for my $c ( 0 .. $#$row ) {
++                my $cell = $row->[$c] or next;
++                $cell->{Merged} = $self->_is_merged( $sheet, $r, $c );
++            }
++        }
++    } else {
+         $sheet->{MaxRow} = $sheet->{MaxCol} = -1;
+     }
+ 
+@@ -1005,6 +1000,24 @@ sub _dimensions {
+     return ($rmin, $cmin, $rmax, $cmax);
+ }
+ 
++sub _is_merged {
++    my ( $self, $sheet, $row, $col ) = @_;
++
++    return unless $sheet->{MergedArea};
++
++    foreach my $area ( @{ $sheet->{MergedArea} } ) {
++        my ( $topRow, $leftCol, $bottomRow, $rightCol ) = @$area;
++
++        return 1
++          if $topRow <= $row
++          && $leftCol <= $col
++          && $row <= $bottomRow
++          && $col <= $rightCol;
++    }
++
++    return 0;
++}
++
+ sub _cell_to_row_col {
+     my $self = shift;
+     my ($cell) = @_;
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series libspreadsheet-parsexlsx-perl-0.27/debian/patches/series
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2022-11-19 21:22:53.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-12 21:25:50.000000000 +0100
@@ -1 +1,2 @@
 001_fix-NAME-section-in-pod.patch
+CVE-2024-22368.patch

--- End Message ---
--- Begin Message --- 
Version: 12.5

The upload requested in this bug has been released as part of 12.5.

--- End Message ---
Reply to: