Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: libspreadsheet-parsexlsx-p...@packages.debian.org Control: affects -1 + src:libspreadsheet-parsexlsx-perl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I've uploaded libspreadsheet-parsexlsx-perl/0.27-3+deb12u1 to bookworm. This upload fixes CVE-2024-22368 (potential memory bomb) by adding a quilt patch, which is taken from 2 upstream commits that are released in 0.28 (and are in testing/unstable in 0.29-1 since a week). https://security-tracker.debian.org/tracker/CVE-2024-22368 Complete debdiff attached. Thanks in advance, gregor -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmWhs+VfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgZ02RAAiWujisM7g1V91tVdZ1N9SKD/n3tdkjpRYRE32OeWMF0su5u8/u0RaWeo O9bpK8goHQF6gt70K/wqPLNKenj45dH86n01q/rLznd5WvPNtytbK/5btj3nze6q hRYt5P5a1WG7D8ZKyldYSNX9qMbjvFwTegptdAu0Kq6aAYbECcwVeD0SqzxHPzgL Q9njmCJSuUVsSVcS5e4xkTNLf1N7Ul1cp46UXbaqe40LgThN9EBLMAg+gZJtS6IM SzQsfwzaQQmtDyhqcUy/RRBBt7l+F77DvT7UiG1BjjYEM8A4AR9UtOfqGNZWe13C bXy6ccHzoBx4EvI6RoNFGX2u9RzeiDFlOsCf+3Apqpq/uXQJ4t5cjgI2x0USD/gm gUwjzrPNzpOyTTK/L2DLs6Y7Yo4vJ7mPo6i5yG+6M+hXpkRyqg0a4EK0VQkbhsci sEQrJUOOeaAwllLfMoY61P05QB1fpuUOKpNOSS7XqPxgWmyz/lWSyLfYIUiPyHAU Fx5YBqcYZI292UjH2c3+h0lh2Bj58hV3TzzuzRM5yP2W+7AH0pukjUgwLEhWR25s Z1rigRFK+Ou46n/HJejDiWn4/OW4veK/mIKYow/WgBnKyL48DyALIu5iEzxTYo7U 1QIPn+ivK5IoR3J34e719SBrSeixcruU6hvNlQJjNgq6msLh5oU= =YJjE -----END PGP SIGNATURE-----
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog libspreadsheet-parsexlsx-perl-0.27/debian/changelog --- libspreadsheet-parsexlsx-perl-0.27/debian/changelog 2022-11-19 21:22:53.000000000 +0100 +++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog 2024-01-12 21:25:50.000000000 +0100 @@ -1,3 +1,11 @@ +libspreadsheet-parsexlsx-perl (0.27-3+deb12u1) bookworm; urgency=medium + + * Team upload. + * Add a patch to fix a possible memory bomb. [CVE-2024-22368] + Patch taken from two upstream Git commits contained in the 0.28 release. + + -- gregor herrmann <gre...@debian.org> Fri, 12 Jan 2024 21:25:50 +0100 + libspreadsheet-parsexlsx-perl (0.27-3) unstable; urgency=medium [ gregor herrmann ] diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch --- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch 1970-01-01 01:00:00.000000000 +0100 +++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch 2024-01-12 21:25:50.000000000 +0100 @@ -0,0 +1,111 @@ +Description: Fix memory bomb CVE-2024-22368 +Origin: upstream, commits 39b25b9 and 47ff82d, as released in 0.28 +Reviewed-by: gregor herrmann <gre...@debian.org> +Last-Update: 2024-01-12 + + +From 39b25b91fcb939a9c8ea807fdc80386c1ae5be0c Mon Sep 17 00:00:00 2001 +From: MichaelDaum <d...@michaeldaumconsulting.com> +Date: Sun, 31 Dec 2023 11:56:25 +0100 +Subject: [PATCH] fix possible memory bomb + +as reported in https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md +--- + lib/Spreadsheet/ParseXLSX.pm | 43 ++++++++++++++++++++++++------------ + 1 file changed, 29 insertions(+), 14 deletions(-) + + +From 47ff82d74fbd014b8ec3cab80fa4fd25db9e8242 Mon Sep 17 00:00:00 2001 +From: MichaelDaum <d...@michaeldaumconsulting.com> +Date: Sun, 31 Dec 2023 12:23:19 +0100 +Subject: [PATCH] minor rewrite and perltidy + +--- + lib/Spreadsheet/ParseXLSX.pm | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/lib/Spreadsheet/ParseXLSX.pm ++++ b/lib/Spreadsheet/ParseXLSX.pm +@@ -176,8 +176,6 @@ sub _parse_sheet { + $sheet->{MaxCol} = -1; + $sheet->{Selection} = [ 0, 0 ]; + +- my %merged_cells; +- + my @column_formats; + my @column_widths; + my @columns_hidden; +@@ -187,7 +185,6 @@ sub _parse_sheet { + my $default_row_height = 15; + my $default_column_width = 10; + +- my %cells; + my $row_idx = 0; + + my $sheet_xml = $self->_new_twig( +@@ -263,11 +260,6 @@ sub _parse_sheet { + $toprow, $leftcol, + $bottomrow, $rightcol, + ]; +- for my $row ($toprow .. $bottomrow) { +- for my $col ($leftcol .. $rightcol) { +- $merged_cells{"$row;$col"} = 1; +- } +- } + } + + $twig->purge; +@@ -415,7 +407,6 @@ sub _parse_sheet { + $cell->{_Value} = $sheet->{_Book}{FmtClass}->ValFmt( + $cell, $sheet->{_Book} + ); +- $cells{"$row;$col"} = $cell; + $sheet->{Cells}[$row][$col] = $cell; + $col_idx++; + } +@@ -428,11 +419,15 @@ sub _parse_sheet { + + $sheet_xml->parse( $sheet_file ); + +- for my $key (keys %merged_cells) { +- $cells{$key}{Merged} = 1 if $cells{$key}; +- } +- +- if ( ! $sheet->{Cells} ){ ++ if ( $sheet->{Cells} ) { ++ for my $r ( 0 .. $#{ $sheet->{Cells} } ) { ++ my $row = $sheet->{Cells}[$r] or next; ++ for my $c ( 0 .. $#$row ) { ++ my $cell = $row->[$c] or next; ++ $cell->{Merged} = $self->_is_merged( $sheet, $r, $c ); ++ } ++ } ++ } else { + $sheet->{MaxRow} = $sheet->{MaxCol} = -1; + } + +@@ -1005,6 +1000,24 @@ sub _dimensions { + return ($rmin, $cmin, $rmax, $cmax); + } + ++sub _is_merged { ++ my ( $self, $sheet, $row, $col ) = @_; ++ ++ return unless $sheet->{MergedArea}; ++ ++ foreach my $area ( @{ $sheet->{MergedArea} } ) { ++ my ( $topRow, $leftCol, $bottomRow, $rightCol ) = @$area; ++ ++ return 1 ++ if $topRow <= $row ++ && $leftCol <= $col ++ && $row <= $bottomRow ++ && $col <= $rightCol; ++ } ++ ++ return 0; ++} ++ + sub _cell_to_row_col { + my $self = shift; + my ($cell) = @_; diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series libspreadsheet-parsexlsx-perl-0.27/debian/patches/series --- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series 2022-11-19 21:22:53.000000000 +0100 +++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series 2024-01-12 21:25:50.000000000 +0100 @@ -1 +1,2 @@ 001_fix-NAME-section-in-pod.patch +CVE-2024-22368.patch
