CVE-2024-23525

NameCVE-2024-23525
DescriptionThe Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3723-1
Debian Bugs1061098

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libspreadsheet-parsexlsx-perl (PTS)buster0.27-2vulnerable
buster (security)0.27-2+deb10u1fixed
bullseye0.27-2.1+deb11u2fixed
bookworm0.27-3+deb12u2fixed
sid, trixie0.35-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libspreadsheet-parsexlsx-perlsourcebuster0.27-2+deb10u1DLA-3723-1
libspreadsheet-parsexlsx-perlsourcebullseye0.27-2.1+deb11u2
libspreadsheet-parsexlsx-perlsourcebookworm0.27-3+deb12u2
libspreadsheet-parsexlsx-perlsource(unstable)0.31-11061098

Notes

https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a
https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
Isolated changes: https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/1d55f90caf433c7442e5be21a1849af2b5522ffe#diff-0702489aae2d242fa44a345ab28b021c884c51a87ba376b835f44e3474dc2385L1175-L1180 (0.30)
Search for package or bug name: Reporting problems