Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 920954 (CVE-2023-7101) - <dev-perl/Spreadsheet-ParseExcel-0.660.0: arbitrary code execution
Summary: <dev-perl/Spreadsheet-ParseExcel-0.660.0: arbitrary code execution
Status: IN_PROGRESS
Alias: CVE-2023-7101
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/mandiant/Vulnerabi...
Whiteboard: B2 [glsa?]
Keywords: PullRequest
Depends on: 924890
Blocks:
  Show dependency tree
 
Reported: 2023-12-29 19:38 UTC by Hank Leininger
Modified: 2024-08-14 06:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2023-12-29 19:38:24 UTC
From $URL:

Spreadsheet::ParseExcel is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type "eval".
Comment 1 Hans de Graaff gentoo-dev Security 2023-12-30 08:01:30 UTC
Thanks for the report. I've removed the version from the summary as we only put that in when a fixed version has been added to Gentoo.
Comment 2 Hank Leininger 2023-12-30 17:40:48 UTC
(In reply to Hans de Graaff from comment #1)
> Thanks for the report. I've removed the version from the summary as we only
> put that in when a fixed version has been added to Gentoo.

Thanks, that's what I thought, so that's how I created it originally ;)
Comment 3 Hank Leininger 2024-02-14 18:46:30 UTC
This security bug + PR to fix have been lingering for over a month, can someone from perl@ please look at it? Thanks!
Comment 4 Larry the Git Cow gentoo-dev 2024-02-18 09:33:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=204be744120d487abb55ac91f4d920a54903698a

commit 204be744120d487abb55ac91f4d920a54903698a
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2023-12-29 19:51:48 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-02-18 09:29:06 +0000

    dev-perl/Spreadsheet-ParseExcel: add 0.660.0
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Bug: https://bugs.gentoo.org/920954
    Closes: https://github.com/gentoo/gentoo/pull/34545
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-perl/Spreadsheet-ParseExcel/Manifest           |  1 +
 .../Spreadsheet-ParseExcel-0.660.0.ebuild          | 39 ++++++++++++++++++++++
 2 files changed, 40 insertions(+)