Researchers warned Monday of two remote code execution vulnerabilities in an open source C library that could let an attacker execute code with local user privileges.
The library, FreeXL, was updated last week to fix the issues. It allows users to extract valid data from within an Excel (.xls) spreadsheet and is used by the SpatiaLite open source library, an SQLite database engine with Spatial functions added.
Both issues affected the latest version (1.0.3) of the library and were fairly serious, both receiving a CVSS 3.0 score of 8.8.
Both vulnerabilities can be triggered if a victim opened a malicious XLS file with an application using the library, according to Marcin Noga, a senior research engineer based in Poland with Cisco Talos who identified the bugs. Both of the bugs are heap based buffer overflow vulnerabilities. One exists in the library’s read_biff_next_record function and the other in its read_legacy_biff function.
Conditions have to be in place to exploit each bug however.
The read_biff_next_record function vulnerability only occurs when the BIFF record side is bigger than the workbook->record field in the read_biff_next_record function. The vulnerability in the read_legacy_biff function only occurs if it parses the DIMENSION record filled with data from a malicious XLS file.
Both bugs can result in the overwriting of large parts of memory, something which could lead to a crash, or the execution of code by “overwriting critical control flow structures,” according to Noga.
According to FreeXL’s timeline of commits, it appears Alessandro Furieri, the developer and maintainer of the library pushed fixes to remedy both issues last week. It was a relatively quick turnaround for Furieri. Cisco reports it informed the developer on Sept. 6. According to FreeXL’s website an update, version 1.0.4, arrived the very next day, Sept. 7.