Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-7101 #33

Closed
carnil opened this issue Dec 25, 2023 · 7 comments · May be fixed by #34
Closed

CVE-2023-7101 #33

carnil opened this issue Dec 25, 2023 · 7 comments · May be fixed by #34

Comments

@carnil
Copy link

carnil commented Dec 25, 2023

Recently CVE-2023-7101 appeared in the CVE feeds from MITRE:

https://www.cve.org/CVERecord?id=CVE-2023-7101

with some details in https://github.com/haile01/perl_spreadsheet_excel_rce_poc
@MichaelDaum
Copy link

MichaelDaum commented Dec 28, 2023
edited

Here's a quick fix for the code injection bug. 0day.patch.txt

@ruoso
Copy link

ruoso commented Dec 28, 2023

The problem here is not just the use of subprocesses. The problem is that on line 81 it accepts any content, rather than selecting the specific types of expressions that it is meant to support.

@ruoso
Copy link

ruoso commented Dec 28, 2023

jmcnamara#8 has a proper fix

@jmcnamara jmcnamara mentioned this issue Dec 28, 2023
Closed
@ruoso ruoso mentioned this issue Dec 28, 2023
Open
@ruoso
Copy link

ruoso commented Dec 28, 2023
edited

I moved the PR to this repo ( #34 ), since I had created it in the original that is no longer valid.

@jmcnamara
Copy link

@ruoso Apologies for the run-around but I have reopened my version of Spreadsheet::ParseExcel and rebased it to this version. I will accept your pull request there and I will be able to release it. Could you submit a copy of the PR there. You previous version was lost in the archive or rebase.

https://github.com/jmcnamara/spreadsheet-parseexcel

@jmcnamara
Copy link

@ruoso never mind. I applied your PR as a patch and tested it. Thanks.

jmcnamara@bd31592

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Dec 29, 2023
p5-Spreadsheet-ParseExcel: update to 0.6600.
4d81eb1 
0.66 December 29 2023

    ! Fix for CVE-2023-7101
      runrig/spreadsheet-parseexcel#33
@jmcnamara
Copy link

@carnil Could you close this issue since the maintainer is unlikely to close it.

@carnil carnil closed this as completed Feb 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not use string eval for conditional formatting ruoso/spreadsheet-parseexcel
4 participants
@ruoso @jmcnamara @MichaelDaum @carnil