Re: FreeXL 1.0.5 - multiple heap-buffer-overflows
LTS team,
On 02/23/2018 11:30 AM, Sebastiaan Couwenberg wrote:
> Dear Security & LTS Teams,
>
> FreeXL 1.0.5 was released yesterday, it fixes various heap-buffer-overflows:
>
> - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
> https://bugzilla.redhat.com/show_bug.cgi?id=1547879
> - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
> https://bugzilla.redhat.com/show_bug.cgi?id=1547883
> - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
> https://bugzilla.redhat.com/show_bug.cgi?id=1547885
> - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
> 1.0.4
> https://bugzilla.redhat.com/show_bug.cgi?id=1547889
> - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
> FreeXL 1.0.4
> https://bugzilla.redhat.com/show_bug.cgi?id=1547892
>
>>From the release announcement:
>
> "
> Few more vulnerabilities affecting FreeXL have been recently
> discovered; for more details please check Red Hat Bugzilla
> Bug 1547879
>
> all reported vulnerabilities are never expected to be encountered
> when reading valid XLS files, and can only affect purposely crafted
> files intended to maliciously trigger some nasty security breach.
>
> the new patched version (FreeXL-1.0.5) sanes any known security
> issue.
>
> [1] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.tar.gz
> [2] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.zip
>
> developers and system packagers are warmly invited to quickly
> adopt FreeXL-1.0.5
>
> note
> ========
> a new error code (FREEXL_CRAFTED_FILE) has been added to FreeXL,
> and it will be returned when a supposed XLS document contains
> "impossible values" (not compatible with the XLS specifications),
> thus leading to a legitimate suspect of a purposely crafted file.
> "
>
> https://groups.google.com/d/topic/spatialite-users/ddE78iVT5b4/discussion
>
>
> I've uploaded freexl (1.0.5-1) to unstable yesterday, and I've
> backported the fix to freexl (1.0.2-2+deb9u2), freexl (1.0.0g-1+deb8u5)
> & freexl (1.0.0b-1+deb7u5) for stretch, jessie & wheezy respectively.
> The changes are available in git:
>
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy
>
> Are these OK to upload?
The jessie & stretch updates have been uploaded to security-master after
the OK from the Security Team.
Shall I go ahead with the wheezy update as well?
Kind Regards,
Bas
Reply to: