[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FreeXL 1.0.2 - multiplication overflow on 32 bit platforms

On Wed, Jul 15, 2015 at 10:35:25PM +0200, Sebastiaan Couwenberg wrote:
> Dear Security Team,
> FreeXL 1.0.2 was released yesterday, it fixes a recently discovered
> security issue. To quote the release announcement:
> "
>  RedHat maintainers recently discovered a potential security breach
>  caused by the current version of FreeXL.
>  This issue is not very like to happen under ordinary conditions, anyway
>  a purposely forged XLS document could effectively cause a
>  multiplication overflow on 32 bit platforms, and this in turn will
>  subsequently cause a dangerous crash due to an incorrectly sized
>  memory allocation.
>  freexl-1.0.2 definitely fixes the issue.
> "
> https://groups.google.com/d/msg/spatialite-users/UZ7ivR6ASV0/K_8bjP1or_IJ
> I've uploaded freexl (1.0.2-1) to unstable today, and I've backported
> the fix to freexl (1.0.0g-1+deb8u2) and freexl (1.0.0b-1+deb7u2) for
> jessie & wheezy respectively. The changes are available in git:
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy
> Are these OK to upload?

Yes, please upload to security-master. Since there have been freexl DSAs
for wheezy and jessie before, they don't need to built with "-sa" this


Reply to: