Debian 10169 Published by

The following security updates have been released for Debian GNU/Linux:

ELA-1025-1 libreoffice security update
[DSA 5592-1] libspreadsheet-parseexcel-perl security update
[DLA 3702-1] libspreadsheet-parseexcel-perl security update
[DLA 3701-1] tinyxml security update
[DLA 3700-1] cjson security update
[DLA 3699-1] libde265 security update




ELA-1025-1 libreoffice security update

Package : libreoffice
Version : 1:6.1.5-3~deb9u2 (stretch)

Related CVEs :
CVE-2020-12801
CVE-2020-12802
CVE-2020-12803
CVE-2023-6185
CVE-2023-6186

Multiple vulnerabilities have been discovered in LibreOffice an
office productivity software suite:

CVE-2020-12801:
If LibreOffice has an encrypted document
open and crashes, that document is auto-saved encrypted.
On restart, LibreOffice offers to restore the document
and prompts for the password to decrypt it. If the recovery
is successful, and if the file format of the recovered document
was not LibreOffice's default ODF file format, then affected versions
of LibreOffice default that subsequent saves of the document
are unencrypted. This may lead to a user accidentally saving
a MSOffice file format document unencrypted while believing
it to be encrypted.

CVE-2020-12802:
LibreOffice has a 'stealth mode' in which only
documents from locations deemed 'trusted' are allowed to
retrieve remote resources. This mode is not the default mode,
but can be enabled by users who want to disable LibreOffice's ability
to include remote resources within a document. A flaw existed
where remote graphic links loaded from docx documents were omitted
from this protection.

CVE-2020-12803:
ODF documents can contain forms to be
filled out by the user. Similar to HTML forms, the contained
form data can be submitted to a URI, for example, to an external
web server. To create submittable forms, ODF implements the
XForms W3C standard, which allows data to be submitted without
the need for macros or other active scripting. LibreOffice allowed
forms to be submitted to any URI, including file: URIs, enabling
form submissions to overwrite local files. User-interaction
is required to submit the form, but to avoid the possibility
of malicious documents engineered to maximize the possibility of
inadvertent user submission this feature has now been limited to
http[s] URIs, removing the possibility to overwrite local files.

CVE-2023-6185
An Improper Input Validation vulnerability
was found in GStreamer integration of The Document
Foundation LibreOffice allows an attacker to execute arbitrary
GStreamer plugins. In affected versions the filename of the
embedded video is not sufficiently escaped when passed to
GStreamer enabling an attacker to run arbitrary
gstreamer plugins depending on what plugins are installed
on the target system.

Fix CVE-2023-6186
LibreOffice supports hyperlinks.
In addition to the typical common protocols such as
http/https hyperlinks can also have target URLs that
can launch built-in macros or dispatch built-in
internal commands. In affected version of LibreOffice
there are scenarios where these can be executed without warning
if the user activates such hyperlinks. In later versions
the users's explicit macro execution permissions
for the document are now consulted if these non-typical
hyperlinks can be executed. The possibility to use these
variants of hyperlink targets for floating frames has been removed.

ELA-1025-1 libreoffice security update


[DSA 5592-1] libspreadsheet-parseexcel-perl security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5592-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 30, 2023 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libspreadsheet-parseexcel-perl
CVE ID : CVE-2023-7101
Debian Bug : 1059450

It was discovered that missing input sanitising in
libspreadsheet-parseexcel-perl, a Perl module to access information from
Excel Spreadsheets, may result in the execution of arbitrary commands if
a specially crafted document file is processed.

For the oldstable distribution (bullseye), this problem has been fixed
in version 0.6500-1.1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in
version 0.6500-4~deb12u1.

We recommend that you upgrade your libspreadsheet-parseexcel-perl packages.

For the detailed security status of libspreadsheet-parseexcel-perl
please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libspreadsheet-parseexcel-perl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3702-1] libspreadsheet-parseexcel-perl security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3702-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 31, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libspreadsheet-parseexcel-perl
Version : 0.6500-1+deb10u1
CVE ID : CVE-2023-7101
Debian Bug : 1059450

Le Dinh Hai discovered that libspreadsheet-parseexcel-perl, a Perl
module allowing information extraction from Excel spreadsheets,
improperly sanitizes directives in dynamically evaluated code.

Attackers can exploit this vulnerability by using specially crafted
Number format strings within XLS and XLSX files, triggering the
execution of arbitrary code during the parsing process.

For Debian 10 buster, this problem has been fixed in version
0.6500-1+deb10u1.

We recommend that you upgrade your libspreadsheet-parseexcel-perl packages.

For the detailed security status of libspreadsheet-parseexcel-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libspreadsheet-parseexcel-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3701-1] tinyxml security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3701-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 31, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : tinyxml
Version : 2.6.2-4+deb10u2
CVE ID : CVE-2023-34194 CVE-2023-40462
Debian Bug : 1059315

A reachable assertion issue has been discovered in tinyxml, a C++ XML
parsing library, which could lead to denial of service via a crafted XML
document with a '\0' located after whitespace.

For Debian 10 buster, these problems have been fixed in version
2.6.2-4+deb10u2.

We recommend that you upgrade your tinyxml packages.

For the detailed security status of tinyxml please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tinyxml

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3700-1] cjson security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3700-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
December 30, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : cjson
Version : 1.7.10-1.1+deb10u2
CVE ID : CVE-2023-50471

An issue has been found in cjson, an ultralightweight JSON parser in ANSI
C. The issue is related to a segmentation violation in function
cJSON_InsertItemInArray().

For Debian 10 buster, this problem has been fixed in version
1.7.10-1.1+deb10u2.

We recommend that you upgrade your cjson packages.

For the detailed security status of cjson please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cjson

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3699-1] libde265 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3699-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
December 30, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libde265
Version : 1.0.11-0+deb10u6
CVE ID : CVE-2023-49465 CVE-2023-49467 CVE-2023-49468

Three issues have been found in libde265, an open H.265 video codec
implementation. All issues are related to heap-buffer-overflow or global
buffer overflow in different functions.

For Debian 10 buster, these problems have been fixed in version
1.0.11-0+deb10u6.

We recommend that you upgrade your libde265 packages.

For the detailed security status of libde265 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libde265

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS