CVE-2023-34795

Vulnerability

The vulnerability exists in xlsxioread_sheetlist_close() in xlsxio library versions v0.1.2 through v0.2.34 [1][2]. When xlsxioread_sheetlist_open() fails to open the zip file (e.g., with a malformed XLSX), it returns a xlsxio_read_sheetlist_struct object with the xmlparser field left uninitialized [1]. Subsequently, calling xlsxioread_sheetlist_close() passes this uninitialized pointer to XML_ParserFree(), leading to a free of uninitialized pointer [1].

Exploitation

An attacker can trigger this vulnerability by providing a crafted XLSX file that causes XML_Char_openzip() to fail [1]. No authentication is required; the attacker only needs to convince a user or application using xlsxio to process the malicious file. The crash occurs during the xlsxioread_sheetlist_close() call [1].

Impact

A successful exploit results in a denial of service (DoS) via program crash. The reference also notes potential remote code execution (RCE) if the attacker can control the uninitialized pointer to hijack function pointers via use-after-free [1][2]. The impact thus ranges from DoS to possible arbitrary code execution depending on environment and heap layout.

Mitigation

The issue was fixed in commit d653f1604b54532f11b45dca1fa164b4a1f15e2d [3], which initializes result->xmlparser = NULL before the conditional [3]. The fix is part of version v0.2.35 [2]. Users should upgrade to v0.2.35 or apply the patch directly. No workarounds are documented for unpatched versions.