CVE-2023-34795: 
Homebrew vulnerability analysis and mitigation

A free of uninitialized pointer vulnerability was discovered in xlsxio library versions 0.1.2 to v0.2.34, identified as CVE-2023-34795. The vulnerability exists in the xlsxioread_sheetlist_close() function and was discovered in June 2023. The affected software, xlsxio, is a cross-platform C library for reading and writing .xlsx files (CVE Details, GitHub Advisory).

The vulnerability occurs when XML_Char_openzip() fails and returns NULL, causing result->xmlparser to remain uninitialized in xlsxioread_sheetlist_open(). When xlsxioread_sheetlist_close() is subsequently called to destroy the struct xlsxio_read_sheetlist_struct object, this uninitialized pointer xmlparser is passed to XML_ParserFree(), leading to freeing arbitrary pointers. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (GitHub Issue).

The vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted XLSX file. Additionally, there is potential for Remote Code Execution (RCE) by hijacking function pointers through Use-After-Free (UAF) exploitation (GitHub Advisory).

The vulnerability was patched in version 0.2.35 with a fix that properly initializes the xmlparser pointer to NULL in the xlsxioread_sheetlist_open() function. Users are advised to upgrade to version 0.2.35 or later (GitHub Commit).