Bugzilla – Bug 1218651
VUL-0: CVE-2024-22368: perl-Spreadsheet-ParseXLSX: out-of-memory condition during parsing of a crafted XLSX document
Last modified: 2024-01-16 11:05:31 UTC
The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22368 https://www.cve.org/CVERecord?id=CVE-2024-22368 https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes
Patch: https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/39b25b91fcb939a9c8ea807fdc80386c1ae5be0c Tracking as affected: -openSUSE:Backports:SLE-15-SP5 Assigned to maintainer since bugowner of affected package doesn't have a valid bugzilla account
It is already updated here: https://build.opensuse.org/package/show/devel:languages:perl:CPAN-S/perl-Spreadsheet-ParseXLSX
This is an autogenerated message for OBS integration: This bug (1218651) was mentioned in https://build.opensuse.org/request/show/1138859 Backports:SLE-15-SP5 / perl-Spreadsheet-ParseXLSX https://build.opensuse.org/request/show/1138860 Factory / perl-Spreadsheet-ParseXLSX
This is an autogenerated message for OBS integration: This bug (1218651) was mentioned in https://build.opensuse.org/request/show/1139009 Factory / perl-Spreadsheet-ParseXLSX
openSUSE-SU-2024:0021-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1218651 CVE References: CVE-2024-22368 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): perl-Spreadsheet-ParseXLSX-0.290.0-bp155.2.3.1