Multiple vulnerabilities in freexl 1.0.0

Bug #1437087 reported by Johan Van de Wauw on 2015-03-27
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freexl (Debian)
Fix Released
Unknown
freexl (Ubuntu)
High
Steve Beattie

Bug Description

Different vulnerabilities were found in freexl

http://seclists.org/oss-sec/2015/q1/1004

These are being fixed in debian (#781228).

Steve Beattie (sbeattie) on 2015-03-30
information type: Private Security → Public Security
Changed in freexl (Debian):
status: Unknown → Fix Released
Steve Beattie (sbeattie) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in freexl (Ubuntu):
status: New → Incomplete

For utopic and trusty in principle a sync from debian jessie would be
fine. Should I just take a debfdiff from that version and use the same
version number as in debian or should I use ubuntu version number?

For vivid we will need our own version.

Johan Van de Wauw (johanvdw) wrote :

Attached is a debdiff for ubuntu vivid, using the same patch as the bugfix for debian jessie (no refresh needed).

Johan Van de Wauw (johanvdw) wrote :

Debdiff for trusty/utopic (only target must change).

This is exactly the same version uploaded to debian jessie - only the changelog has been adapted to the ubuntu template.

Steve Beattie (sbeattie) wrote :

Thanks. For trusty and utopic the versioning as well as the target needs to differ slightly to ensure that people upgrading from trusty to utopic get the utopic version installed (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging for details). I'll adjust the versions to 1.0.0g-1ubuntu0.14.04.1 and 1.0.0g-1ubuntu0.14.10.1 locally.

Changed in freexl (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Steve Beattie (sbeattie) wrote :

The patch also addresses CVE-2015-2776 (as discussed in the thread on oss-security referred to above), though it's not mentioned in the changelog. Annotating so that it doesn't get lost.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freexl - 1.0.0g-1ubuntu0.14.10.1

---------------
freexl (1.0.0g-1ubuntu0.14.10.1) utopic-security; urgency=high

   * SECURITY UPDATE: Fix multiple vulnerabilities allowing denial of service
     or possibly execute arbitrary code (LP: #1437087):
     - CVE 2015-2753: FreeXL before 1.0.0i allows remote attackers to cause a
       denial of service (stack corruption) or possibly execute arbitrary code
       via a crafted sector in a workbook.
     - CVE 2015-2754: FreeXL before 1.0.0i allows remote attackers to cause a
       denial of service (stack corruption) and possibly execute arbitrary code
       via a crafted workbook, related to a "premature EOF."
 -- Johan Van de Wauw <email address hidden> Fri, 03 Apr 2015 22:47:20 +0200

Changed in freexl (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freexl - 1.0.0g-1ubuntu0.14.04.1

---------------
freexl (1.0.0g-1ubuntu0.14.04.1) trusty-security; urgency=high

   * SECURITY UPDATE: Fix multiple vulnerabilities allowing denial of service
     or possibly execute arbitrary code (LP: #1437087):
     - CVE 2015-2753: FreeXL before 1.0.0i allows remote attackers to cause a
       denial of service (stack corruption) or possibly execute arbitrary code
       via a crafted sector in a workbook.
     - CVE 2015-2754: FreeXL before 1.0.0i allows remote attackers to cause a
       denial of service (stack corruption) and possibly execute arbitrary code
       via a crafted workbook, related to a "premature EOF."
 -- Johan Van de Wauw <email address hidden> Fri, 03 Apr 2015 22:47:20 +0200

Changed in freexl (Ubuntu):
status: In Progress → Fix Released
Steve Beattie (sbeattie) wrote :

Still needs to be fixed in vivid (waiting on sponsorship), reopening.

Changed in freexl (Ubuntu):
status: Fix Released → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freexl - 1.0.0h-1~exp1ubuntu1

---------------
freexl (1.0.0h-1~exp1ubuntu1) vivid; urgency=high

  * SECURITY UPDATE: Fix multiple vulnerabilities (LP: #1437087):
    - CVE 2015-2753: FreeXL before 1.0.0i allows remote attackers to cause a
      denial of service (stack corruption) or possibly execute arbitrary code
      via a crafted sector in a workbook.
    - CVE 2015-2754: FreeXL before 1.0.0i allows remote attackers to cause a
      denial of service (stack corruption) and possibly execute arbitrary code
      via a crafted workbook, related to a "premature EOF."
 -- Johan Van de Wauw <email address hidden> Fri, 03 Apr 2015 21:55:42 +0200

Changed in freexl (Ubuntu):
status: In Progress → Fix Released
Bas Couwenberg (sebastic) wrote :

This fix for this issue caused a regression as discussed on the debian-gis list:

 https://lists.debian.org/debian-gis/2015/11/msg00013.html

In Debian this has been fixed for jessie in freexl (1.0.0g-1+deb8u3) and wheezy in freexl (1.0.0b-1+deb7u3).

Ubuntu needs the same regression fix for trusty & vivid.

I've prepared updates for the Ubuntu packages in git:

 http://anonscm.debian.org/cgit/pkg-grass/freexl.git/?h=ubuntu/trusty
 http://anonscm.debian.org/cgit/pkg-grass/freexl.git/?h=ubuntu/vivid

Besides the fix for the regression introduced by afl-vulnerabilitities.patch, they also contain 32bit-multiplication-overflow.patch that was included in freexl (1.0.0g-1+deb8u2) for jessie-security and freexl (1.0.0b-1+deb7u2) for wheezy-security. 32bit-multiplication-overflow.patch was backported from FreeXL 1.0.2 and already included in wily & xenial.

Bas Couwenberg (sebastic) wrote :

The Debian Security Team just released: [DSA 3208-2] freexl regression update
https://lists.debian.org/debian-security-announce/2015/msg00302.html

tags: added: regression-update
Mathew Hodson (mathew-hodson) wrote :

The regression is tracked in Bug #1516257

Changed in freexl (Ubuntu):
importance: Undecided → High
tags: added: trusty utopic vivid
removed: regression-update
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.