Bug#1060688: bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u1

gregor herrmann gregoa at debian.org
Fri Jan 12 21:49:25 GMT 2024 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: libspreadsheet-parsexlsx-perl at packages.debian.org
Control: affects -1 + src:libspreadsheet-parsexlsx-perl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libspreadsheet-parsexlsx-perl/0.27-3+deb12u1 to
bookworm.

This upload fixes CVE-2024-22368 (potential memory bomb) by adding a
quilt patch, which is taken from 2 upstream commits that are released
in 0.28 (and are in testing/unstable in 0.29-1 since a week).

https://security-tracker.debian.org/tracker/CVE-2024-22368

Complete debdiff attached.


Thanks in advance,
gregor

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmWhs+VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZ02RAAiWujisM7g1V91tVdZ1N9SKD/n3tdkjpRYRE32OeWMF0su5u8/u0RaWeo
O9bpK8goHQF6gt70K/wqPLNKenj45dH86n01q/rLznd5WvPNtytbK/5btj3nze6q
hRYt5P5a1WG7D8ZKyldYSNX9qMbjvFwTegptdAu0Kq6aAYbECcwVeD0SqzxHPzgL
Q9njmCJSuUVsSVcS5e4xkTNLf1N7Ul1cp46UXbaqe40LgThN9EBLMAg+gZJtS6IM
SzQsfwzaQQmtDyhqcUy/RRBBt7l+F77DvT7UiG1BjjYEM8A4AR9UtOfqGNZWe13C
bXy6ccHzoBx4EvI6RoNFGX2u9RzeiDFlOsCf+3Apqpq/uXQJ4t5cjgI2x0USD/gm
gUwjzrPNzpOyTTK/L2DLs6Y7Yo4vJ7mPo6i5yG+6M+hXpkRyqg0a4EK0VQkbhsci
sEQrJUOOeaAwllLfMoY61P05QB1fpuUOKpNOSS7XqPxgWmyz/lWSyLfYIUiPyHAU
Fx5YBqcYZI292UjH2c3+h0lh2Bj58hV3TzzuzRM5yP2W+7AH0pukjUgwLEhWR25s
Z1rigRFK+Ou46n/HJejDiWn4/OW4veK/mIKYow/WgBnKyL48DyALIu5iEzxTYo7U
1QIPn+ivK5IoR3J34e719SBrSeixcruU6hvNlQJjNgq6msLh5oU=
=YJjE
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog libspreadsheet-parsexlsx-perl-0.27/debian/changelog
--- libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2022-11-19 21:22:53.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog	2024-01-12 21:25:50.000000000 +0100
@@ -1,3 +1,11 @@
+libspreadsheet-parsexlsx-perl (0.27-3+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix a possible memory bomb. [CVE-2024-22368]
+    Patch taken from two upstream Git commits contained in the 0.28 release.
+
+ -- gregor herrmann <gregoa at debian.org>  Fri, 12 Jan 2024 21:25:50 +0100
+
 libspreadsheet-parsexlsx-perl (0.27-3) unstable; urgency=medium
 
   [ gregor herrmann ]
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch	1970-01-01 01:00:00.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-22368.patch	2024-01-12 21:25:50.000000000 +0100
@@ -0,0 +1,111 @@
+Description: Fix memory bomb CVE-2024-22368
+Origin: upstream, commits 39b25b9 and 47ff82d, as released in 0.28
+Reviewed-by: gregor herrmann <gregoa at debian.org>
+Last-Update: 2024-01-12
+
+
+From 39b25b91fcb939a9c8ea807fdc80386c1ae5be0c Mon Sep 17 00:00:00 2001
+From: MichaelDaum <daum at michaeldaumconsulting.com>
+Date: Sun, 31 Dec 2023 11:56:25 +0100
+Subject: [PATCH] fix possible memory bomb
+
+as reported in https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
+---
+ lib/Spreadsheet/ParseXLSX.pm | 43 ++++++++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 14 deletions(-)
+
+
+From 47ff82d74fbd014b8ec3cab80fa4fd25db9e8242 Mon Sep 17 00:00:00 2001
+From: MichaelDaum <daum at michaeldaumconsulting.com>
+Date: Sun, 31 Dec 2023 12:23:19 +0100
+Subject: [PATCH] minor rewrite and perltidy
+
+---
+ lib/Spreadsheet/ParseXLSX.pm | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -176,8 +176,6 @@ sub _parse_sheet {
+     $sheet->{MaxCol} = -1;
+     $sheet->{Selection} = [ 0, 0 ];
+ 
+-    my %merged_cells;
+-
+     my @column_formats;
+     my @column_widths;
+     my @columns_hidden;
+@@ -187,7 +185,6 @@ sub _parse_sheet {
+     my $default_row_height   = 15;
+     my $default_column_width = 10;
+ 
+-    my %cells;
+     my $row_idx = 0;
+ 
+     my $sheet_xml = $self->_new_twig(
+@@ -263,11 +260,6 @@ sub _parse_sheet {
+                         $toprow, $leftcol,
+                         $bottomrow, $rightcol,
+                     ];
+-                    for my $row ($toprow .. $bottomrow) {
+-                        for my $col ($leftcol .. $rightcol) {
+-                            $merged_cells{"$row;$col"} = 1;
+-                        }
+-                    }
+                 }
+ 
+                 $twig->purge;
+@@ -415,7 +407,6 @@ sub _parse_sheet {
+                     $cell->{_Value} = $sheet->{_Book}{FmtClass}->ValFmt(
+                         $cell, $sheet->{_Book}
+                     );
+-                    $cells{"$row;$col"} = $cell;
+                     $sheet->{Cells}[$row][$col] = $cell;
+                     $col_idx++;
+                 }
+@@ -428,11 +419,15 @@ sub _parse_sheet {
+ 
+     $sheet_xml->parse( $sheet_file );
+ 
+-    for my $key (keys %merged_cells) {
+-        $cells{$key}{Merged} = 1 if $cells{$key};
+-    }
+-
+-    if ( ! $sheet->{Cells} ){
++    if ( $sheet->{Cells} ) {
++        for my $r ( 0 .. $#{ $sheet->{Cells} } ) {
++            my $row = $sheet->{Cells}[$r] or next;
++            for my $c ( 0 .. $#$row ) {
++                my $cell = $row->[$c] or next;
++                $cell->{Merged} = $self->_is_merged( $sheet, $r, $c );
++            }
++        }
++    } else {
+         $sheet->{MaxRow} = $sheet->{MaxCol} = -1;
+     }
+ 
+@@ -1005,6 +1000,24 @@ sub _dimensions {
+     return ($rmin, $cmin, $rmax, $cmax);
+ }
+ 
++sub _is_merged {
++    my ( $self, $sheet, $row, $col ) = @_;
++
++    return unless $sheet->{MergedArea};
++
++    foreach my $area ( @{ $sheet->{MergedArea} } ) {
++        my ( $topRow, $leftCol, $bottomRow, $rightCol ) = @$area;
++
++        return 1
++          if $topRow <= $row
++          && $leftCol <= $col
++          && $row <= $bottomRow
++          && $col <= $rightCol;
++    }
++
++    return 0;
++}
++
+ sub _cell_to_row_col {
+     my $self = shift;
+     my ($cell) = @_;
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series libspreadsheet-parsexlsx-perl-0.27/debian/patches/series
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2022-11-19 21:22:53.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series	2024-01-12 21:25:50.000000000 +0100
@@ -1 +1,2 @@
 001_fix-NAME-section-in-pod.patch
+CVE-2024-22368.patch

More information about the pkg-perl-maintainers mailing list