Bug#1061578: bullseye-pu: package libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u2

Fri Jan 26 19:52:59 GMT 2024

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: libspreadsheet-parsexlsx-perl at packages.debian.org
Control: affects -1 + src:libspreadsheet-parsexlsx-perl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u2 to
bullseye to fix a non-DSA security bug: CVE-2024-22368 / #1061098 (XEE
injection vulnerability).

The patch is just one line [0] and is taken from upstream Git / upstream
release 0.30. The fix is included in trixie and sid in 0.31-1 since a
couple of days.

Full debdiff against -deb11u1 in oldstable-proposed-updates attached.


Thanks in advance,
gregor


[0]
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmW0DZtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgapXxAAwg0HlPsrKMe+Bwrcu2qGEDcCH8V9pUgn0EwdYd+qNTt1FFlLZr4nVCHH
XxfkTr1gD7ed8lwfGq9Xjv+hvktvzT5VMlxqw+UjGcGjcBA6Y3cTgSLm8mKFkVpt
5g8vhDPnovHjctK6smA4vPe/n+VNvFj7RtIzZ3/MKC+WGeC+nxg7s2dMGpsQFWXU
7AaJ9JBWWPrcNYblXYsgjtgmJk0e/HB2ol17nga2YLT6MQW4St2qlrNzAIxJfB0t
sHni1ZF7qyX7Y8L+aDniS2H/cJZ7NEXPor1Dr0ukIY5L27d/+0J4vbDB2xqKTQg1
gkoN8YHUkhXbV/BhRlkaaHucRn0ZUn/4G8WH/Jb1h3LJmkMo7X9U08C11Q3hATM2
d4DnQqUvENjJnYyGNX1L7NoX3Qt5Z8BeIeM0wknFtp19r7h4S44TelkcsIQs8KJB
RM82AwImz7QCaT065MR/5OI/yJXAoT5Glb/k99bSYXThNqC3bGfqmHSOQoYkqwvR
m87NUc6sriWVgz90jfnmwC81/Hy3euoqOMjovT/DnaK+D9e44gmRwBELYEc8Mqhr
aw0j5QiN13fOFiiC7L8kzGyEVmeeNR7gwDabVfOZeM2RY8PHbqMyKT5VPzSqZuc8
q/998F3rsaYKKUZLabuJTyDgJKITUbOvgxLS+APFEZArzCmP6go=
=qFLM
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog libspreadsheet-parsexlsx-perl-0.27/debian/changelog

--- libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-12 21:21:42.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-26 20:34:16.000000000 +0100
@@ -1,3 +1,13 @@
+libspreadsheet-parsexlsx-perl (0.27-2.1+deb11u2) bullseye; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix an xml external entity (XEE) injection bug.
+    [CVE-2024-23525]
+    Patch taken from an upstream Git commit contained in the 0.30 release.
+    (Closes: #1061098)
+
+ -- gregor herrmann <gregoa at debian.org>  Fri, 26 Jan 2024 20:34:16 +0100
+
 libspreadsheet-parsexlsx-perl (0.27-2.1+deb11u1) bullseye; urgency=medium
 
   * Team upload.
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch	1970-01-01 01:00:00.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch	2024-01-26 20:34:16.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix xml external entity (XEE) injection bug CVE-2024-23525
+Origin: upstream, commit 1d55f90, as released in 0.30
+Reviewed-by: gregor herrmann <gregoa at debian.org>
+Last-Update: 2024-01-26
+Bug-Debian: https://bugs.debian.org/1061098
+Bug: https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
+
+From 1d55f90caf433c7442e5be21a1849af2b5522ffe Mon Sep 17 00:00:00 2001
+From: Michael Daum <daum at michaeldaumconsulting.com>
+Date: Wed, 17 Jan 2024 12:31:20 +0100
+Subject: [PATCH] Fixed xml external entity (XEE) injection bug
+
+reported by @phvietan, fixes issue #10
+
+
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series libspreadsheet-parsexlsx-perl-0.27/debian/patches/series
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-12 21:21:42.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-26 20:34:16.000000000 +0100
@@ -1,2 +1,3 @@
 001_fix-NAME-section-in-pod.patch
 CVE-2024-22368.patch
+CVE-2024-23525.patch
