[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1061578: marked as done (bullseye-pu: package libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u2)

Your message dated Sat, 10 Feb 2024 13:02:59 +0000
with message-id <E1rYn0V-002xtQ-0g@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1061578,
regarding bullseye-pu: package libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1061578: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061578
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libspreadsheet-parsexlsx-perl@packages.debian.org
Control: affects -1 + src:libspreadsheet-parsexlsx-perl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u2 to
bullseye to fix a non-DSA security bug: CVE-2024-22368 / #1061098 (XEE
injection vulnerability).

The patch is just one line [0] and is taken from upstream Git / upstream
release 0.30. The fix is included in trixie and sid in 0.31-1 since a
couple of days.

Full debdiff against -deb11u1 in oldstable-proposed-updates attached.


Thanks in advance,
gregor


[0]
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmW0DZtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgapXxAAwg0HlPsrKMe+Bwrcu2qGEDcCH8V9pUgn0EwdYd+qNTt1FFlLZr4nVCHH
XxfkTr1gD7ed8lwfGq9Xjv+hvktvzT5VMlxqw+UjGcGjcBA6Y3cTgSLm8mKFkVpt
5g8vhDPnovHjctK6smA4vPe/n+VNvFj7RtIzZ3/MKC+WGeC+nxg7s2dMGpsQFWXU
7AaJ9JBWWPrcNYblXYsgjtgmJk0e/HB2ol17nga2YLT6MQW4St2qlrNzAIxJfB0t
sHni1ZF7qyX7Y8L+aDniS2H/cJZ7NEXPor1Dr0ukIY5L27d/+0J4vbDB2xqKTQg1
gkoN8YHUkhXbV/BhRlkaaHucRn0ZUn/4G8WH/Jb1h3LJmkMo7X9U08C11Q3hATM2
d4DnQqUvENjJnYyGNX1L7NoX3Qt5Z8BeIeM0wknFtp19r7h4S44TelkcsIQs8KJB
RM82AwImz7QCaT065MR/5OI/yJXAoT5Glb/k99bSYXThNqC3bGfqmHSOQoYkqwvR
m87NUc6sriWVgz90jfnmwC81/Hy3euoqOMjovT/DnaK+D9e44gmRwBELYEc8Mqhr
aw0j5QiN13fOFiiC7L8kzGyEVmeeNR7gwDabVfOZeM2RY8PHbqMyKT5VPzSqZuc8
q/998F3rsaYKKUZLabuJTyDgJKITUbOvgxLS+APFEZArzCmP6go=
=qFLM
-----END PGP SIGNATURE-----

diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog libspreadsheet-parsexlsx-perl-0.27/debian/changelog
--- libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-12 21:21:42.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-26 20:34:16.000000000 +0100
@@ -1,3 +1,13 @@
+libspreadsheet-parsexlsx-perl (0.27-2.1+deb11u2) bullseye; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix an xml external entity (XEE) injection bug.
+    [CVE-2024-23525]
+    Patch taken from an upstream Git commit contained in the 0.30 release.
+    (Closes: #1061098)
+
+ -- gregor herrmann <gregoa@debian.org>  Fri, 26 Jan 2024 20:34:16 +0100
+
 libspreadsheet-parsexlsx-perl (0.27-2.1+deb11u1) bullseye; urgency=medium
 
   * Team upload.
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch	1970-01-01 01:00:00.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch	2024-01-26 20:34:16.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix xml external entity (XEE) injection bug CVE-2024-23525
+Origin: upstream, commit 1d55f90, as released in 0.30
+Reviewed-by: gregor herrmann <gregoa@debian.org>
+Last-Update: 2024-01-26
+Bug-Debian: https://bugs.debian.org/1061098
+Bug: https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
+
+From 1d55f90caf433c7442e5be21a1849af2b5522ffe Mon Sep 17 00:00:00 2001
+From: Michael Daum <daum@michaeldaumconsulting.com>
+Date: Wed, 17 Jan 2024 12:31:20 +0100
+Subject: [PATCH] Fixed xml external entity (XEE) injection bug
+
+reported by @phvietan, fixes issue #10
+
+
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series libspreadsheet-parsexlsx-perl-0.27/debian/patches/series
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-12 21:21:42.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-26 20:34:16.000000000 +0100
@@ -1,2 +1,3 @@
 001_fix-NAME-section-in-pod.patch
 CVE-2024-22368.patch
+CVE-2024-23525.patch

--- End Message ---
--- Begin Message --- 
Version: 11.9

The upload requested in this bug has been released as part of 11.9.

--- End Message ---
Reply to: