Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 638336 (CVE-2017-12110, CVE-2017-12111, CVE-2017-2896, CVE-2017-2897, CVE-2017-2919) - <dev-libs/libxls-1.5.2: Multiple vulnerabilities (CVE-2017-{12110,12111,2896,2897,2919})
Summary: <dev-libs/libxls-1.5.2: Multiple vulnerabilities (CVE-2017-{12110,12111,2896,...
Status: RESOLVED FIXED
Alias: CVE-2017-12110, CVE-2017-12111, CVE-2017-2896, CVE-2017-2897, CVE-2017-2919
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: CVE-2018-20450, CVE-2018-20452
Blocks:
  Show dependency tree
 
Reported: 2017-11-21 16:31 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-30 14:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-21 16:31:33 UTC
CVE-2017-2919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2919):
  An exploitable stack based buffer overflow vulnerability exists in the
  xls_getfcell function of libxls 1.3.4. A specially crafted XLS file can
  cause a memory corruption resulting in remote code execution. An attacker
  can send malicious XLS file to trigger this vulnerability

CVE-2017-2897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2897):
  An exploitable out-of-bounds write vulnerability exists in the read_MSAT
  function of libxls 1.4. A specially crafted XLS file can cause a memory
  corruption resulting in remote code execution. An attacker can send
  malicious XLS file to trigger this vulnerability.

CVE-2017-2896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2896):
  An exploitable out-of-bounds write vulnerability exists in the
  xls_mergedCells function of libxls 1.4. . A specially crafted XLS file can
  cause a memory corruption resulting in remote code execution. An attacker
  can send malicious XLS file to trigger this vulnerability.

CVE-2017-12111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12111):
  An exploitable out-of-bounds vulnerability exists in the xls_addCell
  function of libxls 1.4. A specially crafted XLS file with a formula record
  can cause memory corruption resulting in remote code execution. An attacker
  can send a malicious XLS file to trigger this vulnerability.

CVE-2017-12110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12110):
  An exploitable integer overflow vulnerability exists in the xls_appendSST
  function of libxls 1.4.A specially crafted XLS file can cause memory
  corruption resulting in remote code execution.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-21 16:46:02 UTC
@Maintainer please call for stabilization when ready.

Thank you
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 21:19:05 UTC
Tree is clean, fixed in 1.5.0. First fixed version in tree is 1.5.2.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-03-30 14:54:23 UTC
This issue was resolved and addressed in
 GLSA 202003-64 at https://security.gentoo.org/glsa/202003-64
by GLSA coordinator Thomas Deutschmann (whissi).