Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 638336 (CVE-2017-12110, CVE-2017-12111, CVE-2017-2896, CVE-2017-2897, CVE-2017-2919)

Summary: <dev-libs/libxls-1.5.2: Multiple vulnerabilities (CVE-2017-{12110,12111,2896,2897,2919})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: slyfox
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 674006    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-21 16:31:33 UTC
CVE-2017-2919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2919):
  An exploitable stack based buffer overflow vulnerability exists in the
  xls_getfcell function of libxls 1.3.4. A specially crafted XLS file can
  cause a memory corruption resulting in remote code execution. An attacker
  can send malicious XLS file to trigger this vulnerability

CVE-2017-2897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2897):
  An exploitable out-of-bounds write vulnerability exists in the read_MSAT
  function of libxls 1.4. A specially crafted XLS file can cause a memory
  corruption resulting in remote code execution. An attacker can send
  malicious XLS file to trigger this vulnerability.

CVE-2017-2896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2896):
  An exploitable out-of-bounds write vulnerability exists in the
  xls_mergedCells function of libxls 1.4. . A specially crafted XLS file can
  cause a memory corruption resulting in remote code execution. An attacker
  can send malicious XLS file to trigger this vulnerability.

CVE-2017-12111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12111):
  An exploitable out-of-bounds vulnerability exists in the xls_addCell
  function of libxls 1.4. A specially crafted XLS file with a formula record
  can cause memory corruption resulting in remote code execution. An attacker
  can send a malicious XLS file to trigger this vulnerability.

CVE-2017-12110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12110):
  An exploitable integer overflow vulnerability exists in the xls_appendSST
  function of libxls 1.4.A specially crafted XLS file can cause memory
  corruption resulting in remote code execution.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-21 16:46:02 UTC
@Maintainer please call for stabilization when ready.

Thank you
Comment 2 Sam James archtester gentoo-dev Security 2020-03-28 21:19:05 UTC
Tree is clean, fixed in 1.5.0. First fixed version in tree is 1.5.2.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-03-30 14:54:23 UTC
This issue was resolved and addressed in
 GLSA 202003-64 at https://security.gentoo.org/glsa/202003-64
by GLSA coordinator Thomas Deutschmann (whissi).