Lucene search

DebianDEBIAN:DLA-1098-1:CFCC1

HistorySep 17, 2017 - 4:14 p.m.

[SECURITY] [DLA 1098-1] freexl security update

2017-09-1716:14:08

lists.debian.org

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.021 Low

EPSS

Percentile

89.2%

JSON

Package : freexl
Version : 1.0.0b-1+deb7u4
CVE ID : CVE-2017-2923 CVE-2017-2924
Debian Bug : #875690 #875691

The Cisco Talos team reported two sensitive security issues affecting
FreeXL-1.0.3 and any previous version.

CVE-2017-2923

An exploitable heap based buffer overflow vulnerability exists in
the read_biff_next_record function of FreeXL 1.0.3. A specially
crafted XLS file can cause a memory corruption resulting in remote
code execution. An attacker can send malicious XLS file to trigger
this vulnerability.

CVE-2017-2924

An exploitable heap-based buffer overflow vulnerability exists in
the read_legacy_biff function of FreeXL 1.0.3. A specially crafted
XLS file can cause a memory corruption resulting in remote code
execution. An attacker can send malicious XLS file to trigger this
vulnerability.

For Debian 7 "Wheezy", these problems have been fixed in version
1.0.0b-1+deb7u4.

We recommend that you upgrade your freexl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8mipslibfreexl1< 1.0.0g-1+deb8u4libfreexl1_1.0.0g-1+deb8u4_mips.deb
Debian7armellibfreexl1< 1.0.0b-1+deb7u4libfreexl1_1.0.0b-1+deb7u4_armel.deb
Debian8ppc64ellibfreexl1-dbg< 1.0.0g-1+deb8u4libfreexl1-dbg_1.0.0g-1+deb8u4_ppc64el.deb
Debian9amd64libfreexl1< 1.0.2-2+deb9u1libfreexl1_1.0.2-2+deb9u1_amd64.deb
Debian9arm64libfreexl1< 1.0.2-2+deb9u1libfreexl1_1.0.2-2+deb9u1_arm64.deb
Debian9armellibfreexl1< 1.0.2-2+deb9u1libfreexl1_1.0.2-2+deb9u1_armel.deb
Debian8armhflibfreexl-dev< 1.0.0g-1+deb8u4libfreexl-dev_1.0.0g-1+deb8u4_armhf.deb
Debian8armellibfreexl1< 1.0.0g-1+deb8u4libfreexl1_1.0.0g-1+deb8u4_armel.deb
Debian9armhflibfreexl-dev< 1.0.2-2+deb9u1libfreexl-dev_1.0.2-2+deb9u1_armhf.deb
Debian8mipsellibfreexl1< 1.0.0g-1+deb8u4libfreexl1_1.0.0g-1+deb8u4_mipsel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	mips	libfreexl1	< 1.0.0g-1+deb8u4	libfreexl1_1.0.0g-1+deb8u4_mips.deb
Debian	7	armel	libfreexl1	< 1.0.0b-1+deb7u4	libfreexl1_1.0.0b-1+deb7u4_armel.deb
Debian	8	ppc64el	libfreexl1-dbg	< 1.0.0g-1+deb8u4	libfreexl1-dbg_1.0.0g-1+deb8u4_ppc64el.deb
Debian	9	amd64	libfreexl1	< 1.0.2-2+deb9u1	libfreexl1_1.0.2-2+deb9u1_amd64.deb
Debian	9	arm64	libfreexl1	< 1.0.2-2+deb9u1	libfreexl1_1.0.2-2+deb9u1_arm64.deb
Debian	9	armel	libfreexl1	< 1.0.2-2+deb9u1	libfreexl1_1.0.2-2+deb9u1_armel.deb
Debian	8	armhf	libfreexl-dev	< 1.0.0g-1+deb8u4	libfreexl-dev_1.0.0g-1+deb8u4_armhf.deb
Debian	8	armel	libfreexl1	< 1.0.0g-1+deb8u4	libfreexl1_1.0.0g-1+deb8u4_armel.deb
Debian	9	armhf	libfreexl-dev	< 1.0.2-2+deb9u1	libfreexl-dev_1.0.2-2+deb9u1_armhf.deb
Debian	8	mipsel	libfreexl1	< 1.0.0g-1+deb8u4	libfreexl1_1.0.0g-1+deb8u4_mipsel.deb