[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1061579: marked as done (bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u2)

Your message dated Sat, 10 Feb 2024 13:11:22 +0000
with message-id <E1rYn8c-002ycT-0e@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1061579,
regarding bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1061579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061579
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libspreadsheet-parsexlsx-perl@packages.debian.org
Control: affects -1 + src:libspreadsheet-parsexlsx-perl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libspreadsheet-parsexlsx-perl/0.27-3+deb12u2 to
bookworm to fix a non-DSA security bug: CVE-2024-22368 / #1061098 (XEE
injection vulnerability).

The patch is just one line [0] and is taken from upstream Git / upstream
release 0.30. The fix is included in trixie and sid in 0.31-1 since a
couple of days.

Full debdiff against -deb12u1 in proposed-updates attached.


Thanks in advance,
gregor


[0]
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmW0DZ1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYnrRAAt7GtL179slaqAf2G1bah9oAgwN6eEpMkl8KgNeo6psR+MiZKVhYh8NL2
qk/pmwQlrqfFIEpVVzXbTUxIeropvjqvo2nXrqQdth+BN4itB7bwzp665QQ34bAu
EJrcNzt3DbOf9mS+2xuYXVTMxQQnv/oskZrq3I0l+iA+BLm1InJdNJshCYYHeWMG
QWq0WlBkQQ9cx51D8EWPwytmDSLjNniURyi5rb+B+73LeavejIJnWBxcfIldh7YU
HUVUfbnjf7iXvOU2KmsLLXdW/yYFHQAFjhY/AYhXoZcs7n6A2D/CgMhz5ADumOE0
y/5AL9AZ+NEGZyPKkjJPdzNdwCmnRR9V7qm6aV3M0x0IE3CSEGXzvpjJp5lmKdj4
OyXYKu1/DoFPnpTmZs2bmfoHnHYzpQsTwr1fzw5dIirPTgoLFf7Cw9BOc4jBn2Ln
0VU77FawxPGv9oZe8DCYSbk//KeO+efn9J9G/ISXDGQEVMYKgxw7neLirqARypSl
RRrIKbyJS+YTz3dxs+mo9rz53NnoOiUu68wLA07QgUtKKz+U230c/aDI0HUQLAio
ItlGinQ1yhAsGyIkfuMBpfUfn3wcVfk5lapIu6855mVo4YBSEMhIz50GcsuSeK8t
1frXdy5bm4Df2PXVsAk5SuNGfbaWt2zs0t2AxLnN45+OTBPvCBE=
=hMLL
-----END PGP SIGNATURE-----

diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog libspreadsheet-parsexlsx-perl-0.27/debian/changelog
--- libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-12 21:25:50.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-26 20:37:26.000000000 +0100
@@ -1,3 +1,13 @@
+libspreadsheet-parsexlsx-perl (0.27-3+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix an xml external entity (XEE) injection bug.
+    [CVE-2024-23525]
+    Patch taken from an upstream Git commit contained in the 0.30 release.
+    (Closes: #1061098)
+
+ -- gregor herrmann <gregoa@debian.org>  Fri, 26 Jan 2024 20:37:26 +0100
+
 libspreadsheet-parsexlsx-perl (0.27-3+deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch	1970-01-01 01:00:00.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch	2024-01-26 20:37:26.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix xml external entity (XEE) injection bug CVE-2024-23525
+Origin: upstream, commit 1d55f90, as released in 0.30
+Reviewed-by: gregor herrmann <gregoa@debian.org>
+Last-Update: 2024-01-26
+Bug-Debian: https://bugs.debian.org/1061098
+Bug: https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
+
+From 1d55f90caf433c7442e5be21a1849af2b5522ffe Mon Sep 17 00:00:00 2001
+From: Michael Daum <daum@michaeldaumconsulting.com>
+Date: Wed, 17 Jan 2024 12:31:20 +0100
+Subject: [PATCH] Fixed xml external entity (XEE) injection bug
+
+reported by @phvietan, fixes issue #10
+
+
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series libspreadsheet-parsexlsx-perl-0.27/debian/patches/series
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-12 21:25:50.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-26 20:37:26.000000000 +0100
@@ -1,2 +1,3 @@
 001_fix-NAME-section-in-pod.patch
 CVE-2024-22368.patch
+CVE-2024-23525.patch

--- End Message ---
--- Begin Message --- 
Version: 12.5

The upload requested in this bug has been released as part of 12.5.

--- End Message ---
Reply to: