New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-7101 #33
Comments
Here's a quick fix for the code injection bug. 0day.patch.txt |
The problem here is not just the use of subprocesses. The problem is that on line 81 it accepts any content, rather than selecting the specific types of expressions that it is meant to support. |
jmcnamara#8 has a proper fix |
I moved the PR to this repo ( #34 ), since I had created it in the original that is no longer valid. |
@ruoso Apologies for the run-around but I have reopened my version of Spreadsheet::ParseExcel and rebased it to this version. I will accept your pull request there and I will be able to release it. Could you submit a copy of the PR there. You previous version was lost in the archive or rebase. |
@ruoso never mind. I applied your PR as a patch and tested it. Thanks. |
0.66 December 29 2023 ! Fix for CVE-2023-7101 runrig/spreadsheet-parseexcel#33
@carnil Could you close this issue since the maintainer is unlikely to close it. |
Recently CVE-2023-7101 appeared in the CVE feeds from MITRE:
https://www.cve.org/CVERecord?id=CVE-2023-7101
with some details in https://github.com/haile01/perl_spreadsheet_excel_rce_poc
The text was updated successfully, but these errors were encountered: