Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: libspreadsheet-parsexlsx-p...@packages.debian.org Control: affects -1 + src:libspreadsheet-parsexlsx-perl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I've uploaded libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u1 to bullseye. This upload fixes CVE-2024-22368 (potential memory bomb) by adding a quilt patch, which is taken from 2 upstream commits that are released in 0.28 (and are in testing/unstable in 0.29-1 since a week). https://security-tracker.debian.org/tracker/CVE-2024-22368 Complete debdiff attached. Thanks in advance, gregor -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmWhs+NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgZHfQ/9EUCz97a2oS2P48MIFgCsthWvAPDf5e4ZY3hA1usDrk/+m62qjZd+SoqY nZANzU/WLqfQ/4m67zZSqPhJUzPsa9sQzVYYXTfaKBr6RYlvaxJvaIaQMDVZRu1T l0HaYtYm4NSXPk39rIl1gC7U3dqO8+joYDxuEQxlPPe8Fah746F90hh9GUqu0joP m4j6nL5SBRZ7JeGd68mtLzmI4n8WUeQak7wGAfF9fGugyYCRkqcGlyNVtg+A4xEi nMqLA9JXZZY84AohCnQgK9C9mww9eqjN4whYGw/SQX4b5SbIs11y5z058Esctptc vCMQflDPm0ekY+58y7Gg1JTuH5vsNPw0LuYEZjL2+KWkDsrfzEwXSPMOGlmbAaE6 3VWoK94qe8APCXvWyyi0AnrSa0eTb9r8kZ2BBRWx9ST/GMnkmax/AMU7WL9Theyk 0WmBRafm5J+RxMy3aSK4T9U/5gFw0Z+Z7j9NXNI/PtyeQ2sr7oEmDX2iewXFXSy5 0s5zy7vFIlG6BS4FgXjBi+lic3IH2oAkblUczAdmlzNdutV6Wy22Q4wJGtJDKrS8 Ty7fMpNEQ52AJyFH2hb0rAV8v0smvLDPTbZO3fRHHJJAnsXfqlH4OwgfT9fr6dAv DOksztrqTOFhIU6ZIAVcET30RTuh9/EfoUJryPA5T/IinCLSC9c= =4oCb -----END PGP SIGNATURE-----
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog libspreadsheet-parsexlsx-perl-0.27/debian/changelog --- libspreadsheet-parsexlsx-perl-0.27/debian/changelog 2021-01-04 15:20:56.000000000 +0100 +++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog 2024-01-12 21:21:42.000000000 +0100 @@ -1,3 +1,11 @@ +libspreadsheet-parsexlsx-perl (0.27-2.1+deb11u1) bullseye; urgency=medium + + * Team upload. + * Add a patch to fix a possible memory bomb. [CVE-2024-22368] + Patch taken from two upstream Git commits contained in the 0.28 release. + + -- gregor herrmann <gre...@debian.org> Fri, 12 Jan 2024 21:21:42 +0100 + libspreadsheet-parsexlsx-perl (0.27-2.1) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch --- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch 1970-01-01 01:00:00.000000000 +0100 +++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch 2024-01-12 21:21:42.000000000 +0100 @@ -0,0 +1,111 @@ +Description: Fix memory bomb CVE-2024-22368 +Origin: upstream, commits 39b25b9 and 47ff82d, as released in 0.28 +Reviewed-by: gregor herrmann <gre...@debian.org> +Last-Update: 2024-01-12 + + +From 39b25b91fcb939a9c8ea807fdc80386c1ae5be0c Mon Sep 17 00:00:00 2001 +From: MichaelDaum <d...@michaeldaumconsulting.com> +Date: Sun, 31 Dec 2023 11:56:25 +0100 +Subject: [PATCH] fix possible memory bomb + +as reported in https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md +--- + lib/Spreadsheet/ParseXLSX.pm | 43 ++++++++++++++++++++++++------------ + 1 file changed, 29 insertions(+), 14 deletions(-) + + +From 47ff82d74fbd014b8ec3cab80fa4fd25db9e8242 Mon Sep 17 00:00:00 2001 +From: MichaelDaum <d...@michaeldaumconsulting.com> +Date: Sun, 31 Dec 2023 12:23:19 +0100 +Subject: [PATCH] minor rewrite and perltidy + +--- + lib/Spreadsheet/ParseXLSX.pm | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/lib/Spreadsheet/ParseXLSX.pm ++++ b/lib/Spreadsheet/ParseXLSX.pm +@@ -176,8 +176,6 @@ sub _parse_sheet { + $sheet->{MaxCol} = -1; + $sheet->{Selection} = [ 0, 0 ]; + +- my %merged_cells; +- + my @column_formats; + my @column_widths; + my @columns_hidden; +@@ -187,7 +185,6 @@ sub _parse_sheet { + my $default_row_height = 15; + my $default_column_width = 10; + +- my %cells; + my $row_idx = 0; + + my $sheet_xml = $self->_new_twig( +@@ -263,11 +260,6 @@ sub _parse_sheet { + $toprow, $leftcol, + $bottomrow, $rightcol, + ]; +- for my $row ($toprow .. $bottomrow) { +- for my $col ($leftcol .. $rightcol) { +- $merged_cells{"$row;$col"} = 1; +- } +- } + } + + $twig->purge; +@@ -415,7 +407,6 @@ sub _parse_sheet { + $cell->{_Value} = $sheet->{_Book}{FmtClass}->ValFmt( + $cell, $sheet->{_Book} + ); +- $cells{"$row;$col"} = $cell; + $sheet->{Cells}[$row][$col] = $cell; + $col_idx++; + } +@@ -428,11 +419,15 @@ sub _parse_sheet { + + $sheet_xml->parse( $sheet_file ); + +- for my $key (keys %merged_cells) { +- $cells{$key}{Merged} = 1 if $cells{$key}; +- } +- +- if ( ! $sheet->{Cells} ){ ++ if ( $sheet->{Cells} ) { ++ for my $r ( 0 .. $#{ $sheet->{Cells} } ) { ++ my $row = $sheet->{Cells}[$r] or next; ++ for my $c ( 0 .. $#$row ) { ++ my $cell = $row->[$c] or next; ++ $cell->{Merged} = $self->_is_merged( $sheet, $r, $c ); ++ } ++ } ++ } else { + $sheet->{MaxRow} = $sheet->{MaxCol} = -1; + } + +@@ -1005,6 +1000,24 @@ sub _dimensions { + return ($rmin, $cmin, $rmax, $cmax); + } + ++sub _is_merged { ++ my ( $self, $sheet, $row, $col ) = @_; ++ ++ return unless $sheet->{MergedArea}; ++ ++ foreach my $area ( @{ $sheet->{MergedArea} } ) { ++ my ( $topRow, $leftCol, $bottomRow, $rightCol ) = @$area; ++ ++ return 1 ++ if $topRow <= $row ++ && $leftCol <= $col ++ && $row <= $bottomRow ++ && $col <= $rightCol; ++ } ++ ++ return 0; ++} ++ + sub _cell_to_row_col { + my $self = shift; + my ($cell) = @_; diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series libspreadsheet-parsexlsx-perl-0.27/debian/patches/series --- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series 2018-04-26 18:14:11.000000000 +0200 +++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series 2024-01-12 21:21:42.000000000 +0100 @@ -1 +1,2 @@ 001_fix-NAME-section-in-pod.patch +CVE-2024-22368.patch