Candidate: CVE-2017-2923
PublicDate: 2018-04-24 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2923
 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430
Description:
 An exploitable heap based buffer overflow vulnerability exists in the
 'read_biff_next_record function' of FreeXL 1.0.3. A specially crafted XLS
 file can cause a memory corruption resulting in remote code execution. An
 attacker can send malicious XLS file to trigger this vulnerability.
Ubuntu-Description:
 It was discovered that FreeXL did not properly handle certain input, resulting
 in a beap-based buffer overflow. If a user were tricked into opening a malicious
 Excel spreadsheet, an attacker could execute arbitrary code.
Notes:
Bugs:
Priority: medium
Discovered-by: Marcin Noga
Assigned-to: mikesalvatore
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]

Patches_freexl:
upstream_freexl: released (1.0.0g-1+deb8u5, 1.0.2-2+deb9u2)
precise/esm_freexl: DNE
trusty_freexl: released (1.0.0g-1ubuntu0.14.04.3)
trusty/esm_freexl: released (1.0.0g-1ubuntu0.14.04.3)

vivid/ubuntu-core_freexl: DNE
xenial_freexl: released (1.0.2-1ubuntu0.1)

zesty_freexl: released (1.0.2-2+deb9u1build0.17.04.1)
artful_freexl: ignored (reached end-of-life)
bionic_freexl: not-affected (1.0.5-1)
devel_freexl: not-affected (1.0.5-3)