Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1207142 - (CVE-2015-2753, CVE-2015-2754, CVE-2015-2776) CVE-2015-2753 CVE-2015-2754 CVE-2015-2776 freexl: multiple flaws when parsing malformed input
CVE-2015-2753 CVE-2015-2754 CVE-2015-2776 freexl: multiple flaws when parsing...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150324,repor...
: Security
Depends On: 1207143 1207144 1207145
Blocks: 1207147
  Show dependency treegraph
 
Reported: 2015-03-30 06:14 EDT by Martin Prpič
Modified: 2017-09-12 08:25 EDT (History)
12 users (show)

See Also:
Fixed In Version: FreeXL 1.0.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-12 08:25:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Martin Prpič 2015-03-30 06:14:04 EDT 
The following flaws have been found in FreeXL, a library that parses Microsoft Excel spreadsheets:

#1: A flaw was found in the way FreeXL reads sectors from the input file. A specially crafted file could possibly result in stack corruption near freexl.c:3752.

Reproducer: https://www.dropbox.com/s/3htzndywvtmomlx/freexl_9f74b0e8?dl=0

#2: A flaw was found in the function allocate_cells(). A specially crafted file with invalid workbook dimensions could possibly result in stack corruption near freexl.c:1074

Reproducer: https://www.dropbox.com/s/dcnbbntf7lp03yn/freexl_c9be2aa7?dl=0

#3: A flaw was found in the way FreeXL handles a premature EOF. A specially crafted input file could possibly result in stack corruption near freexl.c:1131

Reproducer: https://www.dropbox.com/s/66srfory903w6cl/freexl_d7273f72?dl=0

#4: FreeXL 1.0.0g did not properly check requests for workbook memory allocation. A specially crafted input file could cause a Denial of Service, or possibly write onto the stack.

Reproducer (ulimit -Sv 128000):
https://www.dropbox.com/s/gh61gzaf8jj30hj/freexl_6889d18b?dl=0

CVE assignments and original report at:

http://seclists.org/oss-sec/2015/q1/1004

Upstream patch:

https://www.gaia-gis.it/fossil/freexl/fdiff?v1=2e167b337481dda3&v2=61618ce51a9b0c15&sbs=1

These flaws are fixed in version 1.0.1 of FreeXL:

http://www.gaia-gis.it/gaia-sins/freexl-1.0.1.tar.gz
Comment 1 Martin Prpič 2015-03-30 06:16:09 EDT 
These flaws have already been fixed in Fedora via:

FEDORA-2015-4444      freexl-1.0.1-1.fc20
FEDORA-2015-4435      freexl-1.0.1-1.fc21
FEDORA-2015-4431      freexl-1.0.1-1.fc22
Comment 3 Martin Prpič 2015-03-30 06:16:49 EDT 
Created freexl tracking bugs for this issue:

Affects: epel-6 [bug 1207143]
Affects: epel-7 [bug 1207144]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.