[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1060689: marked as done (bullseye-pu: package libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u1)

Your message dated Sat, 10 Feb 2024 13:02:58 +0000
with message-id <E1rYn0U-002xsg-F9@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1060689,
regarding bullseye-pu: package libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1060689: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060689
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libspreadsheet-parsexlsx-perl@packages.debian.org
Control: affects -1 + src:libspreadsheet-parsexlsx-perl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u1 to
bullseye.

This upload fixes CVE-2024-22368 (potential memory bomb) by adding a
quilt patch, which is taken from 2 upstream commits that are released
in 0.28 (and are in testing/unstable in 0.29-1 since a week).

https://security-tracker.debian.org/tracker/CVE-2024-22368

Complete debdiff attached.


Thanks in advance,
gregor

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmWhs+NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZHfQ/9EUCz97a2oS2P48MIFgCsthWvAPDf5e4ZY3hA1usDrk/+m62qjZd+SoqY
nZANzU/WLqfQ/4m67zZSqPhJUzPsa9sQzVYYXTfaKBr6RYlvaxJvaIaQMDVZRu1T
l0HaYtYm4NSXPk39rIl1gC7U3dqO8+joYDxuEQxlPPe8Fah746F90hh9GUqu0joP
m4j6nL5SBRZ7JeGd68mtLzmI4n8WUeQak7wGAfF9fGugyYCRkqcGlyNVtg+A4xEi
nMqLA9JXZZY84AohCnQgK9C9mww9eqjN4whYGw/SQX4b5SbIs11y5z058Esctptc
vCMQflDPm0ekY+58y7Gg1JTuH5vsNPw0LuYEZjL2+KWkDsrfzEwXSPMOGlmbAaE6
3VWoK94qe8APCXvWyyi0AnrSa0eTb9r8kZ2BBRWx9ST/GMnkmax/AMU7WL9Theyk
0WmBRafm5J+RxMy3aSK4T9U/5gFw0Z+Z7j9NXNI/PtyeQ2sr7oEmDX2iewXFXSy5
0s5zy7vFIlG6BS4FgXjBi+lic3IH2oAkblUczAdmlzNdutV6Wy22Q4wJGtJDKrS8
Ty7fMpNEQ52AJyFH2hb0rAV8v0smvLDPTbZO3fRHHJJAnsXfqlH4OwgfT9fr6dAv
DOksztrqTOFhIU6ZIAVcET30RTuh9/EfoUJryPA5T/IinCLSC9c=
=4oCb
-----END PGP SIGNATURE-----

diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog libspreadsheet-parsexlsx-perl-0.27/debian/changelog
--- libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2021-01-04 15:20:56.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-12 21:21:42.000000000 +0100
@@ -1,3 +1,11 @@
+libspreadsheet-parsexlsx-perl (0.27-2.1+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix a possible memory bomb. [CVE-2024-22368]
+    Patch taken from two upstream Git commits contained in the 0.28 release.
+
+ -- gregor herrmann <gregoa@debian.org>  Fri, 12 Jan 2024 21:21:42 +0100
+
 libspreadsheet-parsexlsx-perl (0.27-2.1) unstable; urgency=medium
 
   * Non maintainer upload by the Reproducible Builds team.
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch	1970-01-01 01:00:00.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch	2024-01-12 21:21:42.000000000 +0100
@@ -0,0 +1,111 @@
+Description: Fix memory bomb CVE-2024-22368
+Origin: upstream, commits 39b25b9 and 47ff82d, as released in 0.28
+Reviewed-by: gregor herrmann <gregoa@debian.org>
+Last-Update: 2024-01-12
+
+
+From 39b25b91fcb939a9c8ea807fdc80386c1ae5be0c Mon Sep 17 00:00:00 2001
+From: MichaelDaum <daum@michaeldaumconsulting.com>
+Date: Sun, 31 Dec 2023 11:56:25 +0100
+Subject: [PATCH] fix possible memory bomb
+
+as reported in https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
+---
+ lib/Spreadsheet/ParseXLSX.pm | 43 ++++++++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 14 deletions(-)
+
+
+From 47ff82d74fbd014b8ec3cab80fa4fd25db9e8242 Mon Sep 17 00:00:00 2001
+From: MichaelDaum <daum@michaeldaumconsulting.com>
+Date: Sun, 31 Dec 2023 12:23:19 +0100
+Subject: [PATCH] minor rewrite and perltidy
+
+---
+ lib/Spreadsheet/ParseXLSX.pm | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -176,8 +176,6 @@ sub _parse_sheet {
+     $sheet->{MaxCol} = -1;
+     $sheet->{Selection} = [ 0, 0 ];
+ 
+-    my %merged_cells;
+-
+     my @column_formats;
+     my @column_widths;
+     my @columns_hidden;
+@@ -187,7 +185,6 @@ sub _parse_sheet {
+     my $default_row_height   = 15;
+     my $default_column_width = 10;
+ 
+-    my %cells;
+     my $row_idx = 0;
+ 
+     my $sheet_xml = $self->_new_twig(
+@@ -263,11 +260,6 @@ sub _parse_sheet {
+                         $toprow, $leftcol,
+                         $bottomrow, $rightcol,
+                     ];
+-                    for my $row ($toprow .. $bottomrow) {
+-                        for my $col ($leftcol .. $rightcol) {
+-                            $merged_cells{"$row;$col"} = 1;
+-                        }
+-                    }
+                 }
+ 
+                 $twig->purge;
+@@ -415,7 +407,6 @@ sub _parse_sheet {
+                     $cell->{_Value} = $sheet->{_Book}{FmtClass}->ValFmt(
+                         $cell, $sheet->{_Book}
+                     );
+-                    $cells{"$row;$col"} = $cell;
+                     $sheet->{Cells}[$row][$col] = $cell;
+                     $col_idx++;
+                 }
+@@ -428,11 +419,15 @@ sub _parse_sheet {
+ 
+     $sheet_xml->parse( $sheet_file );
+ 
+-    for my $key (keys %merged_cells) {
+-        $cells{$key}{Merged} = 1 if $cells{$key};
+-    }
+-
+-    if ( ! $sheet->{Cells} ){
++    if ( $sheet->{Cells} ) {
++        for my $r ( 0 .. $#{ $sheet->{Cells} } ) {
++            my $row = $sheet->{Cells}[$r] or next;
++            for my $c ( 0 .. $#$row ) {
++                my $cell = $row->[$c] or next;
++                $cell->{Merged} = $self->_is_merged( $sheet, $r, $c );
++            }
++        }
++    } else {
+         $sheet->{MaxRow} = $sheet->{MaxCol} = -1;
+     }
+ 
+@@ -1005,6 +1000,24 @@ sub _dimensions {
+     return ($rmin, $cmin, $rmax, $cmax);
+ }
+ 
++sub _is_merged {
++    my ( $self, $sheet, $row, $col ) = @_;
++
++    return unless $sheet->{MergedArea};
++
++    foreach my $area ( @{ $sheet->{MergedArea} } ) {
++        my ( $topRow, $leftCol, $bottomRow, $rightCol ) = @$area;
++
++        return 1
++          if $topRow <= $row
++          && $leftCol <= $col
++          && $row <= $bottomRow
++          && $col <= $rightCol;
++    }
++
++    return 0;
++}
++
+ sub _cell_to_row_col {
+     my $self = shift;
+     my ($cell) = @_;
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series libspreadsheet-parsexlsx-perl-0.27/debian/patches/series
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2018-04-26 18:14:11.000000000 +0200
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-12 21:21:42.000000000 +0100
@@ -1 +1,2 @@
 001_fix-NAME-section-in-pod.patch
+CVE-2024-22368.patch

--- End Message ---
--- Begin Message --- 
Version: 11.9

The upload requested in this bug has been released as part of 11.9.

--- End Message ---
Reply to: