Bug 1218651 (CVE-2024-22368)

Summary: VUL-0: CVE-2024-22368: perl-Spreadsheet-ParseXLSX: out-of-memory condition during parsing of a crafted XLSX document
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: OtherAssignee: Christian Wittmer <chris>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/390449/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-09 14:09:37 UTC 
The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22368
https://www.cve.org/CVERecord?id=CVE-2024-22368
https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes
Comment 1 Andrea Mattiazzo 2024-01-09 14:19:11 UTC 
Patch:
https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/39b25b91fcb939a9c8ea807fdc80386c1ae5be0c

Tracking as affected:
-openSUSE:Backports:SLE-15-SP5

Assigned to maintainer since bugowner of affected package doesn't have a valid bugzilla account
Comment 2 Christian Wittmer 2024-01-15 09:10:57 UTC 
It is already updated here:
https://build.opensuse.org/package/show/devel:languages:perl:CPAN-S/perl-Spreadsheet-ParseXLSX
Comment 3 OBSbugzilla Bot 2024-01-15 15:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1218651) was mentioned in
https://build.opensuse.org/request/show/1138859 Backports:SLE-15-SP5 / perl-Spreadsheet-ParseXLSX
https://build.opensuse.org/request/show/1138860 Factory / perl-Spreadsheet-ParseXLSX
Comment 4 OBSbugzilla Bot 2024-01-15 19:35:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1218651) was mentioned in
https://build.opensuse.org/request/show/1139009 Factory / perl-Spreadsheet-ParseXLSX
Comment 5 Marcus Meissner 2024-01-16 11:05:31 UTC 
openSUSE-SU-2024:0021-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1218651
CVE References: CVE-2024-22368
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    perl-Spreadsheet-ParseXLSX-0.290.0-bp155.2.3.1