Mark,
On 31 May 2024 at 22:33, Voorhies, Mark wrote: | Package: r-cran-gdata | Version: 2.18.0.1-1 | Severity: normal | | Dear Maintainer, | | I believe r-cran-gdata 2.18.0.1-1 in Debian 12 is vulnerable to CVE-2023-7101 | due to shipping a copy of Utility.pm from Spreadsheet::ParseExcel that uses | string eval for conditional formatting. | C.f. this patch: | https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc | referenced from the Debian CVE page: | https://security-tracker.debian.org/tracker/CVE-2023-7101 | | This vulnerability is patched in the version of Utility.pm in libspreadsheet-parseexcel-perl | and the vulnerability does not exist in r-cran-gdata as of 3.0.0-1 (currently in testing and unstable) | due to the affected perl modules being dropped from the upstream code. | | I don't know if there are any actual code paths in gdata's use of Spreadsheet::ParseExcel that | would trigger the vulnerability. | | So, this _is_ fixed in the Debian gdata package as of testing, but I'm reporting it in case the | CVE should prompt a security patch for stable. Package maintainer here: There is actually little I can do (and as you state, we are in the green for the current package). We generally inject new amd updated package in 'unstable', if they behave they migrate to 'testing' and every two or so years a release is cut. If you think this needs the attention of the release or security you should probably try to contact them. Cheers, Dirk | Thank you for your time, | | Mark | | -- System Information: | Debian Release: 12.5 | APT prefers stable-updates | APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') | Architecture: amd64 (x86_64) | | Kernel: Linux 6.1.0-21-amd64 (SMP w/4 CPU threads; PREEMPT) | Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set | Shell: /bin/sh linked to /usr/bin/dash | Init: systemd (via /run/systemd/system) | LSM: AppArmor: enabled | | Versions of packages r-cran-gdata depends on: | ii r-base-core [r-api-4.0] 4.2.2.20221110-2 | ii r-cran-gtools 3.9.4-1 | | r-cran-gdata recommends no packages. | | r-cran-gdata suggests no packages. | | -- no debconf information -- dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
