ESB-2017.2351 - [UNIX/Linux][Debian] freexl: Multiple vulnerabilities 2017-09-18

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2351
                          freexl security update
                             18 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           freexl
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-2924 CVE-2017-2923 

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3976

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running freexl check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3976-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 17, 2017                    https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : freexl
CVE ID         : CVE-2017-2923 CVE-2017-2924
Debian Bug     : 875690 875691

Marcin 'Icewall' Noga of Cisco Talos discovered two vulnerabilities in
freexl, a library to read Microsoft Excel spreadsheets, which might
result in denial of service or the execution of arbitrary code if a
malformed Excel file is opened.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.0.0g-1+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2-2+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.4-1.

We recommend that you upgrade your freexl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm+rNRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RHlQ//cCqNi4ELc3pTRL22wBbR6uauaT01uU2Z1Dw0Qyu+RO/tSZXuIPRGqVDg
qS9zFLYfUXnmukzt3TUzxPgsXx5WsC/fCBxtY8gn32jFPvO2z653DeQVwlTP/RRn
CanHOp++Z0IsxIwVifsJPX5n++2B+vT6U4YlIBZoOaH759XghdRnbZBudczI8rYo
4OluQoZoUVQ/bIGqlWZG2XsDz/PpouXJ04WMSfW0WzmfmrrcOBQV+I+hXgiIu7Wf
2JRirpzxgogQWUwZrkMQFONO2/B67RK3adrYaA5DvqhFy7aCQ9e7ArZtEt4swJCk
Dg791qpG9djkdnWFTYucE76DyQWxbbbeNNoNJ1Q/rL2GyIUGckSkuZpBF3Y0uEz9
x77rHn3v1GqIF9wgF5Hndabkk3rrdKplaSs2dNN++VfEBLznnUy63Re0CV2/+DH3
kr03lbGgxA3vEbc3JT2kSAN6oGw8Hf8t/PtSsQU3sgxTAEnEb71F67k6AkhB5ks2
KxdUIJKCeBWa7jzfmdbn3oxQA97aVyfF6q5AQwGDyHpL0qji6G29HKwZoVOUpz03
PKWR52fjyf5FS/Q19+j5i0puWigDBPWckLYrge5xyFPPGmxpS0MP8LyglnHcV42Z
HFc5gNdBFK5Ug5Bj2cSGLKjp55vTKXZehoG2T1r+ehY7KtoUrtw=
=6rTh
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWb8PjIx+lLeg9Ub1AQh4ig//W5VEtEY1o75ZcIjkk1RYy2RXQomdsX7B
VcV9IUAScjFAGZSJG07V4lR2+PmK9uDWOtOx0yesq61jyzo4YYTTZF5VNXMOgQEp
bkYYzxXZLKtiX3mvm3JgINwlPvEUXgdzvMErO8x+4VIHF4GB9hUNiryfolzvL9LM
QFhzgQudWMq8CGilZOx+Smf3EowsSul04HEPaGquZLj4D2KRzSzdz6CZ0SX/4meG
9UJuxckQCGN4NSZ78gGwa8WKi2GSHHHnlmIXjU7TEvMrfg7qdYxCrfPfZPIv9yD8
zxYZZRK5iUqLDWiRnw3r8k2koXPpdMP2mXLntjPscX/717uyeRZizY7eo7yjC/zt
kj41nhJd3iELFm2iXyvkl3BkRMIWnwAglYIIZG3t1LF+ZKIuM/lnyqQHneEx5XWs
bPrfpLtwcOoaauXlEPw0ql0P1zL239BlyEUcFpA5zvF3pF0C26519KYkypkyUkyq
deX/mKiVppj1B8JkLmxfmrPugyVQD1Yy1BPjmlfKdJFEW4e9mhmHkvVs6CGgr/n4
3MWbE77UrELPeCPSX9h5eY1KjUTK6u5k2+Q3FE2TVCLoBIFKBZSI+VeFV/wqhGSI
Ha7Q9xUaKy0M2PAyJCUDqMKbWgRDUIe0N/XdGlgt0F1QKPKYT1HlcHs3wXIsGPqP
/PB7/mMs8gE=
=msyJ
-----END PGP SIGNATURE-----

« Back to bulletins