An issue was discoverered in in function xls_getWorkSheet in xls.c in libxls 1.6.2, allows attackers to cause a denial of service, via a crafted XLS file.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libxls | Libxls_project | 1.6.2 (including) | 1.6.2 (including) |
| R-cran-readxl | Ubuntu | bionic | * |
| R-cran-readxl | Ubuntu | focal | * |
| R-cran-readxl | Ubuntu | hirsute | * |
| R-cran-readxl | Ubuntu | impish | * |
| R-cran-readxl | Ubuntu | kinetic | * |
| R-cran-readxl | Ubuntu | lunar | * |
| R-cran-readxl | Ubuntu | mantic | * |
| R-cran-readxl | Ubuntu | oracular | * |
| R-cran-readxl | Ubuntu | plucky | * |
| R-cran-readxl | Ubuntu | trusty | * |
| R-cran-readxl | Ubuntu | xenial | * |
Potential Mitigations
References
- https://github.com/libxls/libxls/issues/94
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5D7XXCVFYRRMI4ENXYSD3MZEBS6SMI7E/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFOE4Z6T46LA47VXWUVET4ELXRZQ3BWB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y6XOTFEOCHYKZAFCB6H3KNIIFJ3UFV7V/
- https://github.com/libxls/libxls/issues/94
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5D7XXCVFYRRMI4ENXYSD3MZEBS6SMI7E/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFOE4Z6T46LA47VXWUVET4ELXRZQ3BWB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y6XOTFEOCHYKZAFCB6H3KNIIFJ3UFV7V/