Bug#1061579: bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1061579: bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u2
From: gregor herrmann <gregoa@debian.org>
Date: Fri, 26 Jan 2024 20:53:01 +0100
Message-id: <[🔎] 170629878178.14537.4821119922276031791.reportbug@jadzia.comodo.priv.at>
Reply-to: gregor herrmann <gregoa@debian.org>, 1061579@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libspreadsheet-parsexlsx-perl@packages.debian.org
Control: affects -1 + src:libspreadsheet-parsexlsx-perl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libspreadsheet-parsexlsx-perl/0.27-3+deb12u2 to
bookworm to fix a non-DSA security bug: CVE-2024-22368 / #1061098 (XEE
injection vulnerability).

The patch is just one line [0] and is taken from upstream Git / upstream
release 0.30. The fix is included in trixie and sid in 0.31-1 since a
couple of days.

Full debdiff against -deb12u1 in proposed-updates attached.


Thanks in advance,
gregor


[0]
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmW0DZ1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYnrRAAt7GtL179slaqAf2G1bah9oAgwN6eEpMkl8KgNeo6psR+MiZKVhYh8NL2
qk/pmwQlrqfFIEpVVzXbTUxIeropvjqvo2nXrqQdth+BN4itB7bwzp665QQ34bAu
EJrcNzt3DbOf9mS+2xuYXVTMxQQnv/oskZrq3I0l+iA+BLm1InJdNJshCYYHeWMG
QWq0WlBkQQ9cx51D8EWPwytmDSLjNniURyi5rb+B+73LeavejIJnWBxcfIldh7YU
HUVUfbnjf7iXvOU2KmsLLXdW/yYFHQAFjhY/AYhXoZcs7n6A2D/CgMhz5ADumOE0
y/5AL9AZ+NEGZyPKkjJPdzNdwCmnRR9V7qm6aV3M0x0IE3CSEGXzvpjJp5lmKdj4
OyXYKu1/DoFPnpTmZs2bmfoHnHYzpQsTwr1fzw5dIirPTgoLFf7Cw9BOc4jBn2Ln
0VU77FawxPGv9oZe8DCYSbk//KeO+efn9J9G/ISXDGQEVMYKgxw7neLirqARypSl
RRrIKbyJS+YTz3dxs+mo9rz53NnoOiUu68wLA07QgUtKKz+U230c/aDI0HUQLAio
ItlGinQ1yhAsGyIkfuMBpfUfn3wcVfk5lapIu6855mVo4YBSEMhIz50GcsuSeK8t
1frXdy5bm4Df2PXVsAk5SuNGfbaWt2zs0t2AxLnN45+OTBPvCBE=
=hMLL
-----END PGP SIGNATURE-----

diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog libspreadsheet-parsexlsx-perl-0.27/debian/changelog
--- libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-12 21:25:50.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-26 20:37:26.000000000 +0100
@@ -1,3 +1,13 @@
+libspreadsheet-parsexlsx-perl (0.27-3+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix an xml external entity (XEE) injection bug.
+    [CVE-2024-23525]
+    Patch taken from an upstream Git commit contained in the 0.30 release.
+    (Closes: #1061098)
+
+ -- gregor herrmann <gregoa@debian.org>  Fri, 26 Jan 2024 20:37:26 +0100
+
 libspreadsheet-parsexlsx-perl (0.27-3+deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch	1970-01-01 01:00:00.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch	2024-01-26 20:37:26.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix xml external entity (XEE) injection bug CVE-2024-23525
+Origin: upstream, commit 1d55f90, as released in 0.30
+Reviewed-by: gregor herrmann <gregoa@debian.org>
+Last-Update: 2024-01-26
+Bug-Debian: https://bugs.debian.org/1061098
+Bug: https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
+
+From 1d55f90caf433c7442e5be21a1849af2b5522ffe Mon Sep 17 00:00:00 2001
+From: Michael Daum <daum@michaeldaumconsulting.com>
+Date: Wed, 17 Jan 2024 12:31:20 +0100
+Subject: [PATCH] Fixed xml external entity (XEE) injection bug
+
+reported by @phvietan, fixes issue #10
+
+
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series libspreadsheet-parsexlsx-perl-0.27/debian/patches/series
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-12 21:25:50.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-26 20:37:26.000000000 +0100
@@ -1,2 +1,3 @@
 001_fix-NAME-section-in-pod.patch
 CVE-2024-22368.patch
+CVE-2024-23525.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1061579: bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u2
  - From: gregor herrmann <gregoa@debian.org>
- Bug#1061579: libspreadsheet-parsexlsx-perl 0.27-3+deb12u2 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#1061578: bullseye-pu: package libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u2
Next by Date: Processed: bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u2
Previous by thread: Processed: libspreadsheet-parsexlsx-perl 0.27-2.1+deb11u2 flagged for acceptance
Next by thread: Processed: bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u2
Index(es):
- Date
- Thread