Multiple vulnerabilities in freexl 1.0.0
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | freexl (Debian) |
Fix Released
|
Unknown
|
||
| | freexl (Ubuntu) |
High
|
Steve Beattie | ||
Bug Description
Different vulnerabilities were found in freexl
http://
These are being fixed in debian (#781228).
| information type: | Private Security → Public Security |
| Changed in freexl (Debian): | |
| status: | Unknown → Fix Released |
| Johan Van de Wauw (johanvdw) wrote : Re: [Bug 1437087] Re: Multiple vulnerabilities in freexl 1.0.0 | #2 |
For utopic and trusty in principle a sync from debian jessie would be
fine. Should I just take a debfdiff from that version and use the same
version number as in debian or should I use ubuntu version number?
For vivid we will need our own version.
| Johan Van de Wauw (johanvdw) wrote : | #3 |
Attached is a debdiff for ubuntu vivid, using the same patch as the bugfix for debian jessie (no refresh needed).
| Johan Van de Wauw (johanvdw) wrote : | #4 |
Debdiff for trusty/utopic (only target must change).
This is exactly the same version uploaded to debian jessie - only the changelog has been adapted to the ubuntu template.
| Steve Beattie (sbeattie) wrote : | #5 |
Thanks. For trusty and utopic the versioning as well as the target needs to differ slightly to ensure that people upgrading from trusty to utopic get the utopic version installed (see https:/
| Changed in freexl (Ubuntu): | |
| status: | Incomplete → In Progress |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Steve Beattie (sbeattie) wrote : | #6 |
The patch also addresses CVE-2015-2776 (as discussed in the thread on oss-security referred to above), though it's not mentioned in the changelog. Annotating so that it doesn't get lost.
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package freexl - 1.0.0g-
---------------
freexl (1.0.0g-
* SECURITY UPDATE: Fix multiple vulnerabilities allowing denial of service
or possibly execute arbitrary code (LP: #1437087):
- CVE 2015-2753: FreeXL before 1.0.0i allows remote attackers to cause a
denial of service (stack corruption) or possibly execute arbitrary code
via a crafted sector in a workbook.
- CVE 2015-2754: FreeXL before 1.0.0i allows remote attackers to cause a
denial of service (stack corruption) and possibly execute arbitrary code
via a crafted workbook, related to a "premature EOF."
-- Johan Van de Wauw <email address hidden> Fri, 03 Apr 2015 22:47:20 +0200
| Changed in freexl (Ubuntu): | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package freexl - 1.0.0g-
---------------
freexl (1.0.0g-
* SECURITY UPDATE: Fix multiple vulnerabilities allowing denial of service
or possibly execute arbitrary code (LP: #1437087):
- CVE 2015-2753: FreeXL before 1.0.0i allows remote attackers to cause a
denial of service (stack corruption) or possibly execute arbitrary code
via a crafted sector in a workbook.
- CVE 2015-2754: FreeXL before 1.0.0i allows remote attackers to cause a
denial of service (stack corruption) and possibly execute arbitrary code
via a crafted workbook, related to a "premature EOF."
-- Johan Van de Wauw <email address hidden> Fri, 03 Apr 2015 22:47:20 +0200
| Changed in freexl (Ubuntu): | |
| status: | In Progress → Fix Released |
| Steve Beattie (sbeattie) wrote : | #9 |
Still needs to be fixed in vivid (waiting on sponsorship), reopening.
| Changed in freexl (Ubuntu): | |
| status: | Fix Released → In Progress |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package freexl - 1.0.0h-
---------------
freexl (1.0.0h-
* SECURITY UPDATE: Fix multiple vulnerabilities (LP: #1437087):
- CVE 2015-2753: FreeXL before 1.0.0i allows remote attackers to cause a
denial of service (stack corruption) or possibly execute arbitrary code
via a crafted sector in a workbook.
- CVE 2015-2754: FreeXL before 1.0.0i allows remote attackers to cause a
denial of service (stack corruption) and possibly execute arbitrary code
via a crafted workbook, related to a "premature EOF."
-- Johan Van de Wauw <email address hidden> Fri, 03 Apr 2015 21:55:42 +0200
| Changed in freexl (Ubuntu): | |
| status: | In Progress → Fix Released |
| Bas Couwenberg (sebastic) wrote : | #11 |
This fix for this issue caused a regression as discussed on the debian-gis list:
https:/
In Debian this has been fixed for jessie in freexl (1.0.0g-1+deb8u3) and wheezy in freexl (1.0.0b-1+deb7u3).
Ubuntu needs the same regression fix for trusty & vivid.
I've prepared updates for the Ubuntu packages in git:
http://
http://
Besides the fix for the regression introduced by afl-vulnerabili
| Bas Couwenberg (sebastic) wrote : | #12 |
The Debian Security Team just released: [DSA 3208-2] freexl regression update
https:/
| tags: | added: regression-update |
| Mathew Hodson (mathew-hodson) wrote : | #13 |
The regression is tracked in Bug #1516257
| Changed in freexl (Ubuntu): | |
| importance: | Undecided → High |
| tags: |
added: trusty utopic vivid removed: regression-update |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/