Version in base suite: 0.6500-1.1

Base version: libspreadsheet-parseexcel-perl_0.6500-1.1
Target version: libspreadsheet-parseexcel-perl_0.6500-1.1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libs/libspreadsheet-parseexcel-perl/libspreadsheet-parseexcel-perl_0.6500-1.1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libs/libspreadsheet-parseexcel-perl/libspreadsheet-parseexcel-perl_0.6500-1.1+deb11u1.dsc

 changelog                                                       |    8 +
 patches/Do-not-use-string-eval-for-conditional-formatting.patch |   64 ++++++++++
 patches/series                                                  |    1 
 3 files changed, 73 insertions(+)

diff -Nru libspreadsheet-parseexcel-perl-0.6500/debian/changelog libspreadsheet-parseexcel-perl-0.6500/debian/changelog
--- libspreadsheet-parseexcel-perl-0.6500/debian/changelog	2020-12-28 12:10:05.000000000 +0000
+++ libspreadsheet-parseexcel-perl-0.6500/debian/changelog	2023-12-30 12:59:46.000000000 +0000
@@ -1,3 +1,11 @@
+libspreadsheet-parseexcel-perl (0.6500-1.1+deb11u1) bullseye-security; urgency=high
+
+  * Team upload.
+  * Do not use string eval for conditional formatting (CVE-2023-7101)
+    (Closes: #1059450)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 30 Dec 2023 13:59:46 +0100
+
 libspreadsheet-parseexcel-perl (0.6500-1.1) unstable; urgency=medium
 
   * Non maintainer upload by the Reproducible Builds team.
diff -Nru libspreadsheet-parseexcel-perl-0.6500/debian/patches/Do-not-use-string-eval-for-conditional-formatting.patch libspreadsheet-parseexcel-perl-0.6500/debian/patches/Do-not-use-string-eval-for-conditional-formatting.patch
--- libspreadsheet-parseexcel-perl-0.6500/debian/patches/Do-not-use-string-eval-for-conditional-formatting.patch	1970-01-01 00:00:00.000000000 +0000
+++ libspreadsheet-parseexcel-perl-0.6500/debian/patches/Do-not-use-string-eval-for-conditional-formatting.patch	2023-12-30 12:59:46.000000000 +0000
@@ -0,0 +1,64 @@
+From: Daniel Ruoso <daniel@ruoso.com>
+Date: Thu, 28 Dec 2023 11:56:10 -0500
+Subject: Do not use string eval for conditional formatting
+Origin: https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc
+Bug-Debian: https://bugs.debian.org/1059450
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-7101
+
+---
+ lib/Spreadsheet/ParseExcel/Utility.pm | 31 +++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 9 deletions(-)
+
+diff --git a/lib/Spreadsheet/ParseExcel/Utility.pm b/lib/Spreadsheet/ParseExcel/Utility.pm
+index c0c26a0a17f6..d8cfb99164da 100644
+--- a/lib/Spreadsheet/ParseExcel/Utility.pm
++++ b/lib/Spreadsheet/ParseExcel/Utility.pm
+@@ -78,10 +78,12 @@ sub ExcelFmt {
+     $format_str = '@' if uc($format_str) eq "GENERAL";
+ 
+     # Check for a conditional at the start of the format. See notes above.
+-    my $conditional;
+-    if ( $format_str =~ /^\[([<>=][^\]]+)\](.*)$/ ) {
+-        $conditional = $1;
+-        $format_str  = $2;
++    my $conditional_op;
++    my $conditional_value;
++    if ( $format_str =~ /^\[([<>=]+)([^\]]+)\](.*)$/ ) {
++        $conditional_op = $1;
++        $conditional_value = $2;
++        $format_str = $3;
+     }
+ 
+     # Ignore the underscore token which is used to indicate a padding space.
+@@ -166,12 +168,23 @@ sub ExcelFmt {
+     }
+ 
+     # Override the previous choice if the format is conditional.
+-    if ($conditional) {
+-
+-        # TODO. Replace string eval with a function.
+-        $section = eval "$number $conditional" ? 0 : 1;
++    if ($conditional_op) {
++        if ($conditional_op eq '>') {
++            $section = $number > $conditional_value ? 0 : 1;
++        } elsif ($conditional_op eq '>=') {
++            $section = $number >= $conditional_value ? 0 : 1;
++        } elsif ($conditional_op eq '<') {
++            $section = $number < $conditional_value ? 0 : 1;
++        } elsif ($conditional_op eq '<=') {
++            $section = $number <= $conditional_value ? 0 : 1;
++        } elsif ($conditional_op eq '=') {
++            $section = $number == $conditional_value ? 0 : 1;
++        } elsif ($conditional_op eq '==') {
++            $section = $number == $conditional_value ? 0 : 1;
++        } elsif ($conditional_op eq '<>') {
++            $section = $number != $conditional_value ? 0 : 1;
++        }
+     }
+-
+     # We now have the required format.
+     $format = $formats[$section];
+ 
+-- 
+2.43.0
+
diff -Nru libspreadsheet-parseexcel-perl-0.6500/debian/patches/series libspreadsheet-parseexcel-perl-0.6500/debian/patches/series
--- libspreadsheet-parseexcel-perl-0.6500/debian/patches/series	2014-05-05 15:11:03.000000000 +0000
+++ libspreadsheet-parseexcel-perl-0.6500/debian/patches/series	2023-12-30 12:59:46.000000000 +0000
@@ -1 +1,2 @@
 30rstring.patch
+Do-not-use-string-eval-for-conditional-formatting.patch