ource: libspreadsheet-parseexcel-perl Version: 0.6500-3 Severity: important Tags: security upstream X-Debbugs-Cc: carnil, Debian Security Team <team.org> Control: found -1 0.6500-1.1 Control: found -1 0.6500-1 Control: affects -1 + libspreadsheet-parsexlsx-perl Hi, The following vulnerability was published for libspreadsheet-parseexcel-perl. The writeup[2] contains a descrption of the issue and pocs. Note that the issue in Spreadsheet::ParseExcel will affect as well Spreadsheet::ParseXLSX relying on Spreadsheet::ParseExcel but AFAIU, the issue needs to be fixed in Spreadsheet::ParseExcel. CVE-2023-7101[0]: | Spreadsheet::ParseExcel version 0.65 is a Perl module used for | parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an | arbitrary code execution (ACE) vulnerability due to passing | unvalidated input from a file into a string-type “eval”. | Specifically, the issue stems from the evaluation of Number format | strings (not to be confused with printf-style format strings) within | the Excel parsing logic. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-7101 https://www.cve.org/CVERecord?id=CVE-2023-7101 [1] https://github.com/haile01/perl_spreadsheet_excel_rce_poc
Created perl-Spreadsheet-ParseExcel tracking bugs for this issue: Affects: epel-all [bug 2255872] Affects: fedora-all [bug 2255873]