LTS team, On 02/23/2018 11:30 AM, Sebastiaan Couwenberg wrote: > Dear Security & LTS Teams, > > FreeXL 1.0.5 was released yesterday, it fixes various heap-buffer-overflows: > > - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4 > https://bugzilla.redhat.com/show_bug.cgi?id=1547879 > - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST > https://bugzilla.redhat.com/show_bug.cgi?id=1547883 > - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4 > https://bugzilla.redhat.com/show_bug.cgi?id=1547885 > - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL > 1.0.4 > https://bugzilla.redhat.com/show_bug.cgi?id=1547889 > - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of > FreeXL 1.0.4 > https://bugzilla.redhat.com/show_bug.cgi?id=1547892 > >>From the release announcement: > > " > Few more vulnerabilities affecting FreeXL have been recently > discovered; for more details please check Red Hat Bugzilla > Bug 1547879 > > all reported vulnerabilities are never expected to be encountered > when reading valid XLS files, and can only affect purposely crafted > files intended to maliciously trigger some nasty security breach. > > the new patched version (FreeXL-1.0.5) sanes any known security > issue. > > [1] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.tar.gz > [2] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.zip > > developers and system packagers are warmly invited to quickly > adopt FreeXL-1.0.5 > > note > ======== > a new error code (FREEXL_CRAFTED_FILE) has been added to FreeXL, > and it will be returned when a supposed XLS document contains > "impossible values" (not compatible with the XLS specifications), > thus leading to a legitimate suspect of a purposely crafted file. > " > > https://groups.google.com/d/topic/spatialite-users/ddE78iVT5b4/discussion > > > I've uploaded freexl (1.0.5-1) to unstable yesterday, and I've > backported the fix to freexl (1.0.2-2+deb9u2), freexl (1.0.0g-1+deb8u5) > & freexl (1.0.0b-1+deb7u5) for stretch, jessie & wheezy respectively. > The changes are available in git: > > http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch > http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie > http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy > > Are these OK to upload?
The jessie & stretch updates have been uploaded to security-master after the OK from the Security Team. Shall I go ahead with the wheezy update as well? Kind Regards, Bas