Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 544426 (CVE-2015-2753, CVE-2015-2754, CVE-2015-2776) - <dev-libs/freexl-1.0.1: Multiple vulnerabilities (CVE-2015-{2753,2754,2776})
Summary: <dev-libs/freexl-1.0.1: Multiple vulnerabilities (CVE-2015-{2753,2754,2776})
Status: RESOLVED FIXED
Alias: CVE-2015-2753, CVE-2015-2754, CVE-2015-2776
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-25 07:59 UTC by Agostino Sarubbo
Modified: 2016-06-26 23:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-25 07:59:33 UTC
From ${URL} :

I found multiple issues in the library FreeXL 1.0.0g.
The vendor has corrected these issues in FreeXL 1.0.1 , and a diff for
the four issues is available here:
https://www.gaia-gis.it/fossil/freexl/fdiff?v1=2e167b337481dda3&v2=61618ce51a9b0c15&sbs=1

FreeXL 1.0.1 itself has been released here:
http://www.gaia-gis.it/gaia-sins/freexl-1.0.1.tar.gz

To reproduce:
./test_xl $reproducer


#1:  A flaw was found in the way FreeXL reads sectors from the input
file.  A specially crafted file could possibly result in stack
corruption near freexl.c:3752.

Reproducer: https://www.dropbox.com/s/3htzndywvtmomlx/freexl_9f74b0e8?dl=0

#2: A flaw was found in the function allocate_cells(). A specially
crafted file with invalid workbook dimensions could possibly result in
stack corruption near freexl.c:1074

Reproducer: https://www.dropbox.com/s/dcnbbntf7lp03yn/freexl_c9be2aa7?dl=0

#3: A flaw was found in the way FreeXL handles a premature EOF. A
specially crafted input file could possibly result in stack corruption
near freexl.c:1131

Reproducer: https://www.dropbox.com/s/66srfory903w6cl/freexl_d7273f72?dl=0

#4: FreeXL 1.0.0g did not properly check requests for workbook memory
allocation. A specially crafted input file could cause a Denial of
Service, or possibly write onto the stack.

Reproducer (ulimit -Sv 128000):
https://www.dropbox.com/s/gh61gzaf8jj30hj/freexl_6889d18b?dl=0



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-04-12 22:34:08 UTC
CVE-2015-2776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2776):
  The parse_SST function in FreeXL before 1.0.0i allows remote attackers to
  cause a denial of service (memory consumption) via a crafted shared strings
  table in a workbook.

CVE-2015-2754 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2754):
  FreeXL before 1.0.0i allows remote attackers to cause a denial of service
  (stack corruption) and possibly execute arbitrary code via a crafted
  workbook, related to a "premature EOF."

CVE-2015-2753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2753):
  FreeXL before 1.0.0i allows remote attackers to cause a denial of service
  (stack corruption) or possibly execute arbitrary code via a crafted sector
  in a workbook.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-06-07 13:50:31 UTC
Bug has been around since March, with upstream released 2015-03-22. Any progress with Ebuild?
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-08-09 03:09:50 UTC
We are now in August, this is a B2 bug, which should be fixed.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-12-23 17:22:56 UTC
This has been around since the March of this year. Please advised if you still want to maintain this package, or remove it from tree.
Comment 5 Amy Liffey gentoo-dev 2016-02-14 18:46:24 UTC
Hey, 
working on it.

Amy
Comment 6 Amy Liffey gentoo-dev 2016-02-14 19:17:41 UTC
author	        Amy Winston <amynka@gentoo.org>	2016-02-14 19:08:16 (GMT)
committer	Amy Winston <amynka@gentoo.org>	2016-02-14 19:08:16 (GMT)
commit	8a1bc8250959967320d0587197f23d4742ffb50d

dev-libs/freexl: version bump, security fix bug #544426


New version freexl-1.0.1 is ready for stable on amd64 ppc ppc64 x86.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-02-15 03:53:54 UTC
Arches please stabilize.
Comment 8 Agostino Sarubbo gentoo-dev 2016-02-15 10:22:21 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-02-15 10:23:03 UTC
x86 stable
Comment 10 Markus Meier gentoo-dev 2016-02-19 16:58:18 UTC
arm passes, no previous stable version.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-22 06:06:18 UTC
Stable for PPC64.
Comment 12 Agostino Sarubbo gentoo-dev 2016-03-16 12:04:45 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-03-16 12:23:38 UTC
GLSA Request opened.
Comment 14 Amy Liffey gentoo-dev 2016-03-16 14:15:15 UTC
author	        Amy Winston <amynka@gentoo.org>	2016-03-16 14:10:05 (GMT)
committer	Amy Winston <amynka@gentoo.org>	2016-03-16 14:10:05 (GMT)
commit	61bb3fef4a393776d6e40f21d79987b35c6863f6

dev-libs/freexl: clean vulnerable version bug #544426
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-06-26 23:56:11 UTC
This issue was resolved and addressed in
 GLSA 201606-15 at https://security.gentoo.org/glsa/201606-15
by GLSA coordinator Aaron Bauman (b-man).