Source: libspreadsheet-parseexcel-perl Version: 0.6500-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.6500-1.1 Control: found -1 0.6500-1 Control: affects -1 + libspreadsheet-parsexlsx-perl
Hi, The following vulnerability was published for libspreadsheet-parseexcel-perl. The writeup[2] contains a descrption of the issue and pocs. Note that the issue in Spreadsheet::ParseExcel will affect as well Spreadsheet::ParseXLSX relying on Spreadsheet::ParseExcel but AFAIU, the issue needs to be fixed in Spreadsheet::ParseExcel. CVE-2023-7101[0]: | Spreadsheet::ParseExcel version 0.65 is a Perl module used for | parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an | arbitrary code execution (ACE) vulnerability due to passing | unvalidated input from a file into a string-type “eval”. | Specifically, the issue stems from the evaluation of Number format | strings (not to be confused with printf-style format strings) within | the Excel parsing logic. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-7101 https://www.cve.org/CVERecord?id=CVE-2023-7101 [1] https://github.com/haile01/perl_spreadsheet_excel_rce_poc Regards, Salvatore