Bug 2255871 (CVE-2023-7101)

Summary: CVE-2023-7101 perl-Spreadsheet-ParseExcel: unvalidated input can lead to arbitrary code execution vulnerability
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2255872, 2255873    
Bug Blocks:    

Description Robb Gatica 2023-12-25 22:28:59 UTC 
ource: libspreadsheet-parseexcel-perl
Version: 0.6500-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil, Debian Security Team <team.org>
Control: found -1 0.6500-1.1
Control: found -1 0.6500-1
Control: affects -1 + libspreadsheet-parsexlsx-perl

Hi,

The following vulnerability was published for libspreadsheet-parseexcel-perl.
The writeup[2] contains a descrption of the issue and pocs. Note that
the issue in Spreadsheet::ParseExcel will affect as well
Spreadsheet::ParseXLSX relying on Spreadsheet::ParseExcel but AFAIU,
the issue needs to be fixed in Spreadsheet::ParseExcel.

CVE-2023-7101[0]:
| Spreadsheet::ParseExcel version 0.65 is a Perl module used for
| parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an
| arbitrary code execution (ACE) vulnerability due to passing
| unvalidated input from a file into a string-type “eval”.
| Specifically, the issue stems from the evaluation of Number format
| strings (not to be confused with printf-style format strings) within
| the Excel parsing logic.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-7101
    https://www.cve.org/CVERecord?id=CVE-2023-7101
[1] https://github.com/haile01/perl_spreadsheet_excel_rce_poc
Comment 1 Robb Gatica 2023-12-25 22:29:15 UTC 
Created perl-Spreadsheet-ParseExcel tracking bugs for this issue:

Affects: epel-all [bug 2255872]
Affects: fedora-all [bug 2255873]