Created attachment 186152 [details] Freexl 1.0.4 The Cisco Talos team reported two sensitive security issues affecting FreeXL-1.0.3 and any previous version. "A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability." Freexl-1.0.4 fixes both issues. --- It's an easy patch. I have fixed the MPL license. Poudriere 10, 11 i386/amd64 OK portlint OK
I'm testing the update, will not take long. You mention security issues in your submission. Do you have a pointer to some advisory? In fact you should also provide a diff to security/vuxml with the details of the vulnerabilities being addressed. How to do this is described here: https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/security-notify.html It just requires you to fill a few fields in an xml file. Can you submit such a diff in addition to the patch? Thanks in advance.
Here some links: https://www.gaia-gis.it/fossil/freexl/info/40c17539ea56f0d8 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0431 I will try to prepare the vuxml. Thanks.
Created attachment 187140 [details] VUXML freexl 1.0.3
A commit references this bug: Author: madpilot Date: Sat Oct 14 10:46:25 UTC 2017 New revision: 452053 URL: https://svnweb.freebsd.org/changeset/ports/452053 Log: Document textproc/freexl security vulnerabilities. PR: 222130 Submitted by: lbartoletti@tuxfamily.org (maintainer) Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: madpilot Date: Sat Oct 14 10:49:28 UTC 2017 New revision: 452054 URL: https://svnweb.freebsd.org/changeset/ports/452054 Log: Update textproc/freexl to 1.0.4 PR: 222130 Submitted by: lbartoletti@tuxfamily.org (maintainer) MFH: 2017Q4 Security: 555cd806-b031-11e7-a369-14dae9d59f67 Changes: head/textproc/freexl/Makefile head/textproc/freexl/distinfo
Committed, waiting for merge before closing. I modified the vuxml entry slightly. Looking at the source of the software it looks like the vulnerable code has always been present, so I made it mark all previous versions as vulnerable. I also added URLS to the TALOS advisories, also because the CVE ones seem to having been allocated but still not filed out with actual data.
A commit references this bug: Author: madpilot Date: Mon Oct 23 13:23:24 UTC 2017 New revision: 452709 URL: https://svnweb.freebsd.org/changeset/ports/452709 Log: MFH: r452054 Update textproc/freexl to 1.0.4 PR: 222130 Submitted by: lbartoletti@tuxfamily.org (maintainer) Security: 555cd806-b031-11e7-a369-14dae9d59f67 Approved by: ports-secteam (swills) Changes: _U branches/2017Q4/ branches/2017Q4/textproc/freexl/Makefile branches/2017Q4/textproc/freexl/distinfo
Merged to quarterly. Thanks!