Bug#1061579: bookworm-pu: package libspreadsheet-parsexlsx-perl/0.27-3+deb12u2

[gregor herrmann]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libspreadsheet-parsexlsx-p...@packages.debian.org
Control: affects -1 + src:libspreadsheet-parsexlsx-perl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libspreadsheet-parsexlsx-perl/0.27-3+deb12u2 to
bookworm to fix a non-DSA security bug: CVE-2024-22368 / #1061098 (XEE
injection vulnerability).

The patch is just one line [0] and is taken from upstream Git / upstream
release 0.30. The fix is included in trixie and sid in 0.31-1 since a
couple of days.

Full debdiff against -deb12u1 in proposed-updates attached.


Thanks in advance,
gregor


[0]
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             
'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 
'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmW0DZ1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYnrRAAt7GtL179slaqAf2G1bah9oAgwN6eEpMkl8KgNeo6psR+MiZKVhYh8NL2
qk/pmwQlrqfFIEpVVzXbTUxIeropvjqvo2nXrqQdth+BN4itB7bwzp665QQ34bAu
EJrcNzt3DbOf9mS+2xuYXVTMxQQnv/oskZrq3I0l+iA+BLm1InJdNJshCYYHeWMG
QWq0WlBkQQ9cx51D8EWPwytmDSLjNniURyi5rb+B+73LeavejIJnWBxcfIldh7YU
HUVUfbnjf7iXvOU2KmsLLXdW/yYFHQAFjhY/AYhXoZcs7n6A2D/CgMhz5ADumOE0
y/5AL9AZ+NEGZyPKkjJPdzNdwCmnRR9V7qm6aV3M0x0IE3CSEGXzvpjJp5lmKdj4
OyXYKu1/DoFPnpTmZs2bmfoHnHYzpQsTwr1fzw5dIirPTgoLFf7Cw9BOc4jBn2Ln
0VU77FawxPGv9oZe8DCYSbk//KeO+efn9J9G/ISXDGQEVMYKgxw7neLirqARypSl
RRrIKbyJS+YTz3dxs+mo9rz53NnoOiUu68wLA07QgUtKKz+U230c/aDI0HUQLAio
ItlGinQ1yhAsGyIkfuMBpfUfn3wcVfk5lapIu6855mVo4YBSEMhIz50GcsuSeK8t
1frXdy5bm4Df2PXVsAk5SuNGfbaWt2zs0t2AxLnN45+OTBPvCBE=
=hMLL
-----END PGP SIGNATURE-----

diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/changelog 
libspreadsheet-parsexlsx-perl-0.27/debian/changelog
--- libspreadsheet-parsexlsx-perl-0.27/debian/changelog 2024-01-12 
21:25:50.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/changelog 2024-01-26 
20:37:26.000000000 +0100
@@ -1,3 +1,13 @@
+libspreadsheet-parsexlsx-perl (0.27-3+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix an xml external entity (XEE) injection bug.
+    [CVE-2024-23525]
+    Patch taken from an upstream Git commit contained in the 0.30 release.
+    (Closes: #1061098)
+
+ -- gregor herrmann <gre...@debian.org>  Fri, 26 Jan 2024 20:37:26 +0100
+
 libspreadsheet-parsexlsx-perl (0.27-3+deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru 
libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch 
libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch      
1970-01-01 01:00:00.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/CVE-2024-23525.patch      
2024-01-26 20:37:26.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix xml external entity (XEE) injection bug CVE-2024-23525
+Origin: upstream, commit 1d55f90, as released in 0.30
+Reviewed-by: gregor herrmann <gre...@debian.org>
+Last-Update: 2024-01-26
+Bug-Debian: https://bugs.debian.org/1061098
+Bug: https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
+
+From 1d55f90caf433c7442e5be21a1849af2b5522ffe Mon Sep 17 00:00:00 2001
+From: Michael Daum <d...@michaeldaumconsulting.com>
+Date: Wed, 17 Jan 2024 12:31:20 +0100
+Subject: [PATCH] Fixed xml external entity (XEE) injection bug
+
+reported by @phvietan, fixes issue #10
+
+
+--- a/lib/Spreadsheet/ParseXLSX.pm
++++ b/lib/Spreadsheet/ParseXLSX.pm
+@@ -1107,6 +1107,7 @@
+             
'http://schemas.openxmlformats.org/officeDocument/2006/relationships' => 'rels',
+             'http://schemas.openxmlformats.org/drawingml/2006/main' => 
'drawmain',
+         },
++        no_xxe => 1,
+         keep_original_prefix => 1,
+         %opts,
+     );
diff -Nru libspreadsheet-parsexlsx-perl-0.27/debian/patches/series 
libspreadsheet-parsexlsx-perl-0.27/debian/patches/series
--- libspreadsheet-parsexlsx-perl-0.27/debian/patches/series    2024-01-12 
21:25:50.000000000 +0100
+++ libspreadsheet-parsexlsx-perl-0.27/debian/patches/series    2024-01-26 
20:37:26.000000000 +0100
@@ -1,2 +1,3 @@
 001_fix-NAME-section-in-pod.patch
 CVE-2024-22368.patch
+CVE-2024-23525.patch