[SECURITY] [DLA 1098-1] freexl security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1098-1] freexl security update
From: Bas Couwenberg <sebastic@debian.org>
Date: Sun, 17 Sep 2017 18:14:08 +0200
Message-id: <[🔎] e07b41b1-1fb4-a6c0-9570-6076b1327f36@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : freexl
Version        : 1.0.0b-1+deb7u4
CVE ID         : CVE-2017-2923 CVE-2017-2924
Debian Bug     : #875690 #875691


The Cisco Talos team reported two sensitive security issues affecting
FreeXL-1.0.3 and any previous version.

CVE-2017-2923

    An exploitable heap based buffer overflow vulnerability exists in
    the read_biff_next_record function of FreeXL 1.0.3. A specially
    crafted XLS file can cause a memory corruption resulting in remote
    code execution. An attacker can send malicious XLS file to trigger
    this vulnerability.

CVE-2017-2924

    An exploitable heap-based buffer overflow vulnerability exists in
    the read_legacy_biff function of FreeXL 1.0.3. A specially crafted
    XLS file can cause a memory corruption resulting in remote code
    execution. An attacker can send malicious XLS file to trigger this
    vulnerability.

For Debian 7 "Wheezy", these problems have been fixed in version
1.0.0b-1+deb7u4.

We recommend that you upgrade your freexl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgYLeQXBWQI1hRlDRZ1DxCuiNSvEFAlm+n0sACgkQZ1DxCuiN
SvF9qBAAqmK61eWstv1/CFpXSYRd7CvU25sFGMLIGfZzIp7HypnzALwZoYnwkyYy
PDgMKdTrhAOffHnpPWi2HINqLDmkinpof2D4+W7R13pQwca9UettxqRTpBMJDpiy
otlFBQ1Q3+NSK4Ki+0O/aCmVmOVvTcQ1YEqXWxPi88RTA/PDRkPWKSWNKyuavpnG
R0TS+L9qNW6+tJaz0Qu581gMp6L8xmZ3iHd/z2nlfWzfT3FC7GW62+AxE9AYZkDV
2a2wrzHFe+K5kGYVTrl6yUIZk8tgks91K11iTEmg8aD617tLGBtStZZzpwj5l0rY
SBn7EfPgXWrkf/V1RO96XCk/Bj9rLj8duQ+Fn1nntSZXGzxKTJNqFAkWnYDw2XY+
Xe2JZwk7hXkXWO6mfnCf4YMCGk23s/7G0Xs+WlfYoWUbZBW/Slmg6t+/VUuU/2tl
69hlRrEDGy7y8uHxFIt6awIe3OXd9thPuMKtsi9fgFwLUN56Bz7kmlJuwYfa4mag
fWh0pEbZ92qFszXem8HpX5W+WLwT1MV9FXVdk2Sb1LeYZYR1C0R/n8IyC7tvC3Lw
foGzQ+zLIWrAFSyDXTdNQOKjzHSCA+W6/OohUjQyETi8jb20O4Hdnny4RGD6qIwY
78ke33ztHOPV4P72+C5442QzdXlB78/83cNcpy0/g8K5/AO/SFs=
=6gwX
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1097-1] tcpdump security update
Next by Date: [SECURITY] [DLA 1100-1] gdk-pixbuf security update
Previous by thread: [SECURITY] [DLA 1097-1] tcpdump security update
Next by thread: [SECURITY] [DLA 1100-1] gdk-pixbuf security update
Index(es):
- Date
- Thread