Bug#1059450: libspreadsheet-parseexcel-perl: CVE-2023-7101
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 25 21:26:39 GMT 2023
Source: libspreadsheet-parseexcel-perl
Version: 0.6500-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 0.6500-1.1
Control: found -1 0.6500-1
Control: affects -1 + libspreadsheet-parsexlsx-perl
Hi,
The following vulnerability was published for libspreadsheet-parseexcel-perl.
The writeup[2] contains a descrption of the issue and pocs. Note that
the issue in Spreadsheet::ParseExcel will affect as well
Spreadsheet::ParseXLSX relying on Spreadsheet::ParseExcel but AFAIU,
the issue needs to be fixed in Spreadsheet::ParseExcel.
CVE-2023-7101[0]:
| Spreadsheet::ParseExcel version 0.65 is a Perl module used for
| parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an
| arbitrary code execution (ACE) vulnerability due to passing
| unvalidated input from a file into a string-type “eval”.
| Specifically, the issue stems from the evaluation of Number format
| strings (not to be confused with printf-style format strings) within
| the Excel parsing logic.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-7101
https://www.cve.org/CVERecord?id=CVE-2023-7101
[1] https://github.com/haile01/perl_spreadsheet_excel_rce_poc
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list