Page MenuHomePhabricator
Create Task
Maniphest T375358

Extension:DataTransfer uses vulnerable version of `phpoffice/phpspreadsheet`
Closed, ResolvedPublicSecurity
Actions

Description

The master branch of Extension:DataTransfer requires version 1.19.0 of phpoffice/phpspreadsheet. Running composer audit reports

Found 2 security vulnerability advisories affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | phpoffice/phpspreadsheet                                                         |
| CVE               | CVE-2024-45048                                                                   |
| Title             | XXE in PHPSpreadsheet encoding is returned                                       |
| URL               | https://github.com/advisories/GHSA-ghg6-32f9-2jp7                                |
| Affected versions | >=2.0.0,<2.1.1|>=2.2.0,<2.2.1|<1.29.1                                            |
| Reported at       | 2024-08-29T17:58:27+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | phpoffice/phpspreadsheet                                                         |
| CVE               | CVE-2024-45046                                                                   |
| Title             | PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style       |
|                   | information                                                                      |
| URL               | https://github.com/advisories/GHSA-wgmf-q9vr-vww6                                |
| Affected versions | <1.29.1|>=2.0.0,<2.1.0                                                           |
| Reported at       | 2024-08-29T17:56:56+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Solution: Bump to version 1.29.1

Current maintainer of this extension: @Yaron_Koren

Details

Risk Rating
Low
Author Affiliation
Other (Please specify in description)
SubjectRepoBranchLines +/-
Bump library versionmediawiki/extensions/DataTransferREL1_39+1 -2
Bump library versionmediawiki/extensions/DataTransfermaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Osnard created this task.Sep 23 2024, 6:12 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 23 2024, 6:12 AM
JJMC89 added a project: MediaWiki-extensions-DataTransfer.Sep 23 2024, 6:13 AM
Osnard added a comment.Sep 23 2024, 6:15 AM

Created patch https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1074761

I could not spot any incompatibilities of 1.29.1 with the way the library is used on this extension.

It would be nice to have this as a tag release and to have it cherry-picked to REL1_39 as well.

Yaron_Koren closed this task as Resolved.Sep 23 2024, 3:33 PM
Yaron_Koren claimed this task.

Done! Thank you for the patch. Feel free to cherry-pick it to whatever branches you want, and I will approve it.

sbassett mentioned this in T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2).Sep 23 2024, 3:53 PM
sbassett added a subscriber: gerritbot.Sep 23 2024, 4:00 PM
gerritbot added a comment.Sep 23 2024, 4:39 PM

Change #1075048 merged by jenkins-bot:

[mediawiki/extensions/DataTransfer@REL1_39] Bump library version

https://gerrit.wikimedia.org/r/1075048

sbassett triaged this task as Low priority.Oct 7 2024, 3:00 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits