ESB-2018.0629 - [Debian] freexl: Multiple vulnerabilities 2018-03-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0629
                          freexl security update
                               5 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           freexl
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7439 CVE-2018-7438 CVE-2018-7437
                   CVE-2018-7436 CVE-2018-7435 

Reference:         ESB-2018.0603

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4129

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4129-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 02, 2018                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : freexl
CVE ID         : CVE-2018-7435 CVE-2018-7436 CVE-2018-7437 CVE-2018-7438 
                 CVE-2018-7439

Multiple heap buffer over reads were discovered in freexl, a library to
read Microsoft Excel spreadsheets, which could result in denial of
service.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.0.0g-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2-2+deb9u2.

We recommend that you upgrade your freexl packages.

For the detailed security status of freexl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freexl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqZtsMACgkQEMKTtsN8
TjZCgQ//UKbTUT989XIwyJw8sBPVmMZXN65Hm2EBtWeg9ehmL3ABOoT4V+72A8Pi
kgRI7RPaD2l1GVDc0TdVKfmLw755W21kD4DszyOLnaHb2dhNYhpfg01pDrOIsS0g
P77A9pV/cBjqjFhMACmA6EgnD/0DdigBrfMZgyFf3utLNq2os9gdDZIcGpadJFCb
V4pfjRO7J4fFIpfzylDPooK31hwpDO4liM3qrhv1zCc4IPT3gVatg/sujxXjSxBR
IGjLL0+MVK5VTYBkzj7manipgzzcXeBMGcyfQJu80ee9QQvYsfCwA+YDqiD2fC7O
mgbne34jZG0rKHpowDOX+M4GVtOcbDxSe8wjjxwdqiQctc+BGyLPh/ogWR2QcALg
KpPHiGsHrgINgjeaUBXU1iGSkG5Ktt2u8wSGkapkqNXbF72D9VfZ7JOGuIO/rqmp
FTjJOmVkLNGa5JAUlNUY754fL4pqqyXVrSIx3FOgmj5eu02gag+5tPwXfB0RfCww
3vBj69DUqyPjvg3p/keLSG6pO6+ub85e1AdP1kCLuszzeGytyydId1b5UAL2XDAL
8YD7rPqA45eysVBx5i3iGUxzG0ivOF8h7Yles/OsXF7rYKXW2xmCPBJJ9Kcs8FeR
vuLS+SJT4WiJAVIoCjQIi5YpeI4OQgq7S3uKc1iWbD9rUOARLSQ=
=AB2m
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWpzLiox+lLeg9Ub1AQhU4A//XctAtrH32MIR38JVnc4i6zB5P97mSXZ3
g7MmNzbCAmhY+ve/thLNfmr/NTq/n2hGsFUWnEDAIUYDXDV7kAGZZyz5MpgF8bm9
ly30RvB3MuGFpKTtxAN+ZrwFEWK/WYbmfw9u2vN0/SuSCSwKJwjSb5nLLWcrvOMT
FBCY1+e2SbHFMGtHEJAYxntf2dEzUGJNYzA3qKVzzNTXgCGdeaW3hUZ/Rm28yfc5
puAzTK9ArpTLhL6xOQYfAEgtk8WP5hnQa9MFWGslSdegaZofqNTzdyxAyB4C1K3f
VSLO2mb3F5zxSHNH0PN8T+VH4zCcCByPUUmv+FXmoG3+8xJKSVvyKqtblxdbBp68
qtQpOPxFU9DNesM3TUFAOmeEmVND5TTUZq9kSQG0bqU8oPVpD56ALoqb8VspteGg
dNut1KCemOxuQnSYusbLe1PRd4+gFwIILXQ/w7LWGDKob4Ayxi/jwtS2PEBdGICq
RLE6OKEh+T9sMdMJHLrFEbg9SQRnM59i6VgggJbheLJEvVbjh4VkueXY/db4HLoV
uVFX9+Lj2IRLeFITByT5guDhTBgJZ7j9PVRbzzrCK6SzOTxSEnP+w9VNpQ0hGiRC
SLiJMpC8lrGwvMegnmPgKh7VGWuoHBTT4AzBrE6e5SUxiHgbupzuLPmogHCN7qlh
TUp29AJCmm0=
=MZpC
-----END PGP SIGNATURE-----

« Back to bulletins