From ${URL} : I found multiple issues in the library FreeXL 1.0.0g. The vendor has corrected these issues in FreeXL 1.0.1 , and a diff for the four issues is available here: https://www.gaia-gis.it/fossil/freexl/fdiff?v1=2e167b337481dda3&v2=61618ce51a9b0c15&sbs=1 FreeXL 1.0.1 itself has been released here: http://www.gaia-gis.it/gaia-sins/freexl-1.0.1.tar.gz To reproduce: ./test_xl $reproducer #1: A flaw was found in the way FreeXL reads sectors from the input file. A specially crafted file could possibly result in stack corruption near freexl.c:3752. Reproducer: https://www.dropbox.com/s/3htzndywvtmomlx/freexl_9f74b0e8?dl=0 #2: A flaw was found in the function allocate_cells(). A specially crafted file with invalid workbook dimensions could possibly result in stack corruption near freexl.c:1074 Reproducer: https://www.dropbox.com/s/dcnbbntf7lp03yn/freexl_c9be2aa7?dl=0 #3: A flaw was found in the way FreeXL handles a premature EOF. A specially crafted input file could possibly result in stack corruption near freexl.c:1131 Reproducer: https://www.dropbox.com/s/66srfory903w6cl/freexl_d7273f72?dl=0 #4: FreeXL 1.0.0g did not properly check requests for workbook memory allocation. A specially crafted input file could cause a Denial of Service, or possibly write onto the stack. Reproducer (ulimit -Sv 128000): https://www.dropbox.com/s/gh61gzaf8jj30hj/freexl_6889d18b?dl=0 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2015-2776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2776): The parse_SST function in FreeXL before 1.0.0i allows remote attackers to cause a denial of service (memory consumption) via a crafted shared strings table in a workbook. CVE-2015-2754 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2754): FreeXL before 1.0.0i allows remote attackers to cause a denial of service (stack corruption) and possibly execute arbitrary code via a crafted workbook, related to a "premature EOF." CVE-2015-2753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2753): FreeXL before 1.0.0i allows remote attackers to cause a denial of service (stack corruption) or possibly execute arbitrary code via a crafted sector in a workbook.
Bug has been around since March, with upstream released 2015-03-22. Any progress with Ebuild?
We are now in August, this is a B2 bug, which should be fixed.
This has been around since the March of this year. Please advised if you still want to maintain this package, or remove it from tree.
Hey, working on it. Amy
author Amy Winston <amynka@gentoo.org> 2016-02-14 19:08:16 (GMT) committer Amy Winston <amynka@gentoo.org> 2016-02-14 19:08:16 (GMT) commit 8a1bc8250959967320d0587197f23d4742ffb50d dev-libs/freexl: version bump, security fix bug #544426 New version freexl-1.0.1 is ready for stable on amd64 ppc ppc64 x86.
Arches please stabilize.
amd64 stable
x86 stable
arm passes, no previous stable version.
Stable for PPC64.
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
GLSA Request opened.
author Amy Winston <amynka@gentoo.org> 2016-03-16 14:10:05 (GMT) committer Amy Winston <amynka@gentoo.org> 2016-03-16 14:10:05 (GMT) commit 61bb3fef4a393776d6e40f21d79987b35c6863f6 dev-libs/freexl: clean vulnerable version bug #544426
This issue was resolved and addressed in GLSA 201606-15 at https://security.gentoo.org/glsa/201606-15 by GLSA coordinator Aaron Bauman (b-man).