Re: FreeXL 1.0.5 - multiple heap-buffer-overflows

To: Debian LTS <debian-lts@lists.debian.org>
Cc: Debian GIS Project <debian-gis@lists.debian.org>
Subject: Re: FreeXL 1.0.5 - multiple heap-buffer-overflows
From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
Date: Wed, 28 Feb 2018 07:20:25 +0100
Message-id: <[🔎] 91e0880b-0ce3-7e5f-c295-95a864c2a1a9@xs4all.nl>
In-reply-to: <[🔎] 292f7afc-c227-9984-b077-311d4d9d02f8@xs4all.nl>
References: <[🔎] 292f7afc-c227-9984-b077-311d4d9d02f8@xs4all.nl>

LTS team,

On 02/23/2018 11:30 AM, Sebastiaan Couwenberg wrote:
> Dear Security & LTS Teams,
> 
> FreeXL 1.0.5 was released yesterday, it fixes various heap-buffer-overflows:
> 
> - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
>   https://bugzilla.redhat.com/show_bug.cgi?id=1547879
> - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
>   https://bugzilla.redhat.com/show_bug.cgi?id=1547883
> - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
>   https://bugzilla.redhat.com/show_bug.cgi?id=1547885
> - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
>   1.0.4
>   https://bugzilla.redhat.com/show_bug.cgi?id=1547889
> - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
>   FreeXL 1.0.4
>   https://bugzilla.redhat.com/show_bug.cgi?id=1547892
> 
>>From the release announcement:
> 
> "
>  Few more vulnerabilities affecting FreeXL have been recently
>  discovered; for more details please check Red Hat Bugzilla
>  Bug 1547879
> 
>  all reported vulnerabilities are never expected to be encountered
>  when reading valid XLS files, and can only affect purposely crafted
>  files intended to maliciously trigger some nasty security breach.
> 
>  the new patched version (FreeXL-1.0.5) sanes any known security
>  issue.
> 
>  [1] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.tar.gz
>  [2] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.zip
> 
>  developers and system packagers are warmly invited to quickly
>  adopt FreeXL-1.0.5
> 
>  note
>  ========
>  a new error code (FREEXL_CRAFTED_FILE) has been added to FreeXL,
>  and it will be returned when a supposed XLS document contains
>  "impossible values" (not compatible with the XLS specifications),
>  thus leading to a legitimate suspect of a purposely crafted file.
> "
> 
> https://groups.google.com/d/topic/spatialite-users/ddE78iVT5b4/discussion
> 
> 
> I've uploaded freexl (1.0.5-1) to unstable yesterday, and I've
> backported the fix to freexl (1.0.2-2+deb9u2), freexl (1.0.0g-1+deb8u5)
> & freexl (1.0.0b-1+deb7u5) for stretch, jessie & wheezy respectively.
> The changes are available in git:
> 
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy
> 
> Are these OK to upload?

The jessie & stretch updates have been uploaded to security-master after
the OK from the Security Team.

Shall I go ahead with the wheezy update as well?

Kind Regards,

Bas

Reply to:

References:
- FreeXL 1.0.5 - multiple heap-buffer-overflows
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

Prev by Date: Re: FreeXL 1.0.5 - multiple heap-buffer-overflows
Previous by thread: Re: FreeXL 1.0.5 - multiple heap-buffer-overflows
Index(es):
- Date
- Thread