Multiple vulnerabilities in freexl 1.0.0

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

For utopic and trusty in principle a sync from debian jessie would be
fine. Should I just take a debfdiff from that version and use the same
version number as in debian or should I use ubuntu version number?

For vivid we will need our own version.

Attached is a debdiff for ubuntu vivid, using the same patch as the bugfix for debian jessie (no refresh needed).

Debdiff for trusty/utopic (only target must change).

This is exactly the same version uploaded to debian jessie - only the changelog has been adapted to the ubuntu template.

Thanks. For trusty and utopic the versioning as well as the target needs to differ slightly to ensure that people upgrading from trusty to utopic get the utopic version installed (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging for details). I'll adjust the versions to 1.0.0g-1ubuntu0.14.04.1 and 1.0.0g-1ubuntu0.14.10.1 locally.

The patch also addresses CVE-2015-2776 (as discussed in the thread on oss-security referred to above), though it's not mentioned in the changelog. Annotating so that it doesn't get lost.

This bug was fixed in the package freexl - 1.0.0g-1ubuntu0.14.10.1

---------------
freexl (1.0.0g-1ubuntu0.14.10.1) utopic-security; urgency=high

   * SECURITY UPDATE: Fix multiple vulnerabilities allowing denial of service
     or possibly execute arbitrary code (LP: #1437087):
     - CVE 2015-2753: FreeXL before 1.0.0i allows remote attackers to cause a
       denial of service (stack corruption) or possibly execute arbitrary code
       via a crafted sector in a workbook.
     - CVE 2015-2754: FreeXL before 1.0.0i allows remote attackers to cause a
       denial of service (stack corruption) and possibly execute arbitrary code
       via a crafted workbook, related to a "premature EOF."
 -- Johan Van de Wauw <email address hidden> Fri, 03 Apr 2015 22:47:20 +0200

This bug was fixed in the package freexl - 1.0.0g-1ubuntu0.14.04.1

---------------
freexl (1.0.0g-1ubuntu0.14.04.1) trusty-security; urgency=high

   * SECURITY UPDATE: Fix multiple vulnerabilities allowing denial of service
     or possibly execute arbitrary code (LP: #1437087):
     - CVE 2015-2753: FreeXL before 1.0.0i allows remote attackers to cause a
       denial of service (stack corruption) or possibly execute arbitrary code
       via a crafted sector in a workbook.
     - CVE 2015-2754: FreeXL before 1.0.0i allows remote attackers to cause a
       denial of service (stack corruption) and possibly execute arbitrary code
       via a crafted workbook, related to a "premature EOF."
 -- Johan Van de Wauw <email address hidden> Fri, 03 Apr 2015 22:47:20 +0200

Still needs to be fixed in vivid (waiting on sponsorship), reopening.

This bug was fixed in the package freexl - 1.0.0h-1~exp1ubuntu1

---------------
freexl (1.0.0h-1~exp1ubuntu1) vivid; urgency=high

  * SECURITY UPDATE: Fix multiple vulnerabilities (LP: #1437087):
    - CVE 2015-2753: FreeXL before 1.0.0i allows remote attackers to cause a
      denial of service (stack corruption) or possibly execute arbitrary code
      via a crafted sector in a workbook.
    - CVE 2015-2754: FreeXL before 1.0.0i allows remote attackers to cause a
      denial of service (stack corruption) and possibly execute arbitrary code
      via a crafted workbook, related to a "premature EOF."
 -- Johan Van de Wauw <email address hidden> Fri, 03 Apr 2015 21:55:42 +0200

This fix for this issue caused a regression as discussed on the debian-gis list:

 https://lists.debian.org/debian-gis/2015/11/msg00013.html

In Debian this has been fixed for jessie in freexl (1.0.0g-1+deb8u3) and wheezy in freexl (1.0.0b-1+deb7u3).

Ubuntu needs the same regression fix for trusty & vivid.

I've prepared updates for the Ubuntu packages in git:

 http://anonscm.debian.org/cgit/pkg-grass/freexl.git/?h=ubuntu/trusty
 http://anonscm.debian.org/cgit/pkg-grass/freexl.git/?h=ubuntu/vivid

Besides the fix for the regression introduced by afl-vulnerabilitities.patch, they also contain 32bit-multiplication-overflow.patch that was included in freexl (1.0.0g-1+deb8u2) for jessie-security and freexl (1.0.0b-1+deb7u2) for wheezy-security. 32bit-multiplication-overflow.patch was backported from FreeXL 1.0.2 and already included in wily & xenial.

The Debian Security Team just released: [DSA 3208-2] freexl regression update
https://lists.debian.org/debian-security-announce/2015/msg00302.html

The regression is tracked in Bug #1516257