Re: FreeXL 1.0.2 - multiplication overflow on 32 bit platforms
On 07/15/2015 10:35 PM, Sebastiaan Couwenberg wrote:
> Dear Security Team,
>
> FreeXL 1.0.2 was released yesterday, it fixes a recently discovered
> security issue. To quote the release announcement:
>
> "
> RedHat maintainers recently discovered a potential security breach
> caused by the current version of FreeXL.
>
> This issue is not very like to happen under ordinary conditions, anyway
> a purposely forged XLS document could effectively cause a
> multiplication overflow on 32 bit platforms, and this in turn will
> subsequently cause a dangerous crash due to an incorrectly sized
> memory allocation.
> freexl-1.0.2 definitely fixes the issue.
> "
>
> https://groups.google.com/d/msg/spatialite-users/UZ7ivR6ASV0/K_8bjP1or_IJ
>
> I've uploaded freexl (1.0.2-1) to unstable today, and I've backported
> the fix to freexl (1.0.0g-1+deb8u2) and freexl (1.0.0b-1+deb7u2) for
> jessie & wheezy respectively. The changes are available in git:
>
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy
>
> Are these OK to upload?
freexl (1.0.2-1) migrated to testing, but the issue still affects wheezy
& jessie.
Do you consider this issue serious enough to fix in (old)oldstable, or
should I just drop the changes I prepared for those?
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Reply to: