Bugzilla – Bug 1218414
VUL-0: CVE-2023-7101: perl-Spreadsheet-ParseExcel: unvalidated input can lead to arbitrary code execution vulnerability
Last modified: 2024-05-17 08:03:09 UTC
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7101 https://github.com/haile01/perl_spreadsheet_excel_rce_poc/tree/main?tab=readme-ov-file https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171
Factory submission: https://build.opensuse.org/request/show/1136203
I'll submit the new version to ALP once its accepted in Factory.
ALP submission: https://build.suse.de/request/show/316819
This is an autogenerated message for OBS integration: This bug (1218414) was mentioned in https://build.opensuse.org/request/show/1136878 Factory / perl-Spreadsheet-ParseExcel
SUSE-SU-2024:0158-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1218414 CVE References: CVE-2023-7101 Sources used: openSUSE Leap 15.5 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 Basesystem Module 15-SP5 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Real Time 15 SP4 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Manager Proxy 4.3 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Manager Retail Branch Server 4.3 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Manager Server 4.3 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE Enterprise Storage 7.1 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 SUSE CaaS Platform 4.0 (src): perl-Spreadsheet-ParseExcel-0.65-150000.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.