From $URL: Spreadsheet::ParseExcel is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type "eval".
Thanks for the report. I've removed the version from the summary as we only put that in when a fixed version has been added to Gentoo.
(In reply to Hans de Graaff from comment #1) > Thanks for the report. I've removed the version from the summary as we only > put that in when a fixed version has been added to Gentoo. Thanks, that's what I thought, so that's how I created it originally ;)
This security bug + PR to fix have been lingering for over a month, can someone from perl@ please look at it? Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=204be744120d487abb55ac91f4d920a54903698a commit 204be744120d487abb55ac91f4d920a54903698a Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2023-12-29 19:51:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-18 09:29:06 +0000 dev-perl/Spreadsheet-ParseExcel: add 0.660.0 Signed-off-by: Hank Leininger <hlein@korelogic.com> Bug: https://bugs.gentoo.org/920954 Closes: https://github.com/gentoo/gentoo/pull/34545 Signed-off-by: Sam James <sam@gentoo.org> dev-perl/Spreadsheet-ParseExcel/Manifest | 1 + .../Spreadsheet-ParseExcel-0.660.0.ebuild | 39 ++++++++++++++++++++++ 2 files changed, 40 insertions(+)
