Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 608714 (CVE-2017-5992) - <dev-python/openpyxl-2.4.2: XEE vulnerability
Summary: <dev-python/openpyxl-2.4.2: XEE vulnerability
Status: RESOLVED FIXED
Alias: CVE-2017-5992
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-09 09:18 UTC by Agostino Sarubbo
Modified: 2018-08-12 02:30 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/openpyxl-2.4.11
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-02-09 09:18:19 UTC
From ${URL} :

the Debian Security Team would like to request a CVE for an XML XEE
discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
resolves external entities by default:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442
  https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-02-09 10:23:56 UTC
@ Maintainer(s): Please bump to >=dev-python/openpyxl-2.4.2 which contains the bugfix.
Comment 2 D'juan McDonald (domhnall) 2017-03-14 22:53:03 UTC
References For CVE-2017-5992 

http://www.cvedetails.com/cve/CVE-2017-5992/
Comment 3 Michael Boyle 2018-05-03 02:15:15 UTC
@maintainers, ping. Please bump to latest release.

Michael Boyle
Gentoo Security Padawan
Comment 4 Larry the Git Cow gentoo-dev 2018-08-07 17:31:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f29859e1e34dcbe6c2b9656955aa3d98fcf30e6

commit 3f29859e1e34dcbe6c2b9656955aa3d98fcf30e6
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-07 17:25:30 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-07 17:25:30 +0000

    dev-python/openpyxl: bump to 2.4.11
    
    To avoid revdeps breaks and because this will be the target of a fast
    track stabilization (security), I avoid doing a double-major-version
    bump and limit the bump to the 2.4.x line. The 2.5 bump will be done
    separately with a regular stabilization process.
    
    Bug: https://bugs.gentoo.org/608714
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 dev-python/openpyxl/Manifest               |  1 +
 dev-python/openpyxl/openpyxl-2.4.11.ebuild | 33 ++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
Comment 5 Virgil Dupras gentoo-dev 2018-08-07 17:34:55 UTC
amd64, x86, please stabilize:

dev-python/openpyxl-2.4.11

Thanks.
Comment 6 Thomas Deutschmann gentoo-dev Security 2018-08-07 22:43:53 UTC
x86 stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-08-10 19:43:16 UTC
amd64 stable

and GLSA vote: no
Comment 8 Larry the Git Cow gentoo-dev 2018-08-10 21:43:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=faa0d1e93590c9a89b98f7be63db9c9017c6b765

commit faa0d1e93590c9a89b98f7be63db9c9017c6b765
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-10 21:43:04 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-10 21:43:04 +0000

    dev-python/openpyxl: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/608714
    Package-Manager: Portage-2.3.45, Repoman-2.3.10

 dev-python/openpyxl/Manifest              |  2 --
 dev-python/openpyxl/openpyxl-2.3.0.ebuild | 35 -------------------------------
 dev-python/openpyxl/openpyxl-2.3.3.ebuild | 35 -------------------------------
 3 files changed, 72 deletions(-)
Comment 9 Virgil Dupras gentoo-dev 2018-08-10 22:44:44 UTC
I had to revert. My cleanup broke the CI, sorry about the noise. Will make proper clean later.
Comment 10 Larry the Git Cow gentoo-dev 2018-08-11 23:16:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9b80fad012e382626a8e5384952cd049845da53

commit a9b80fad012e382626a8e5384952cd049845da53
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-11 23:16:13 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-11 23:16:13 +0000

    dev-python/openpyxl: re-enable py34 on v2.4.11
    
    I failed to see, before phasing it out, how many revdeps had a py34
    enabled. If I want to be able to clean out old and vulnerable versions
    in a reasonable timeframe, I have to re-enable py34.
    
    Bug: https://bugs.gentoo.org/608714
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 dev-python/openpyxl/openpyxl-2.4.11.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 11 Larry the Git Cow gentoo-dev 2018-08-11 23:21:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c77c8cb20b9c5ac66e91a40d267d6babfb1cf73a

commit c77c8cb20b9c5ac66e91a40d267d6babfb1cf73a
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-11 23:20:13 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-11 23:20:13 +0000

    dev-python/openpyxl: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/608714
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 dev-python/openpyxl/Manifest              |  2 --
 dev-python/openpyxl/openpyxl-2.3.0.ebuild | 35 -------------------------------
 dev-python/openpyxl/openpyxl-2.3.3.ebuild | 35 -------------------------------
 3 files changed, 72 deletions(-)
Comment 12 Michael Boyle 2018-08-12 02:30:22 UTC
Thanks guys.