Bug#919324: CVE-2018-20450 CVE-2018-20452

Mon, 14 Jan 2019 17:48:30 -0800 

Oddly, all four issues (#34, #35, #36, #37) seem to have disappeared from 
GitHub. I don’t know if the original reporter intended to close them, or what.

I have an email copy of #34 but do not have access to the PoC files. So without 
the cooperation of the reporter (Zhao Liang, Huawei Weiran Labs) my ability to 
research will be limited.

Evan

> On Jan 14, 2019, at 19:22, Dirk Eddelbuettel <e...@debian.org> wrote:
> 
> 
> Hi Evan,
> 
> On 14 January 2019 at 19:03, Evan Miller wrote:
> | Hi Dirk,
> | 
> | You are correct - these are issues with the underlying C library, the 
> GitHub issues you referenced. I have not researched them specifically, but I 
> recently fixed two issues (#36 and #37) that are possibly related:
> | 
> | https://github.com/evanmiller/libxls/issues/36 
> <https://github.com/evanmiller/libxls/issues/36>
> | https://github.com/evanmiller/libxls/issues/37 
> <https://github.com/evanmiller/libxls/issues/37>
> | 
> | I will look into #34 and #35 when I get a chance.
> 
> Thanks for the prompt follow-up.  Please keep us posted and abreast of any 
> progress.
> 
> Dirk
> 
> | Evan
> | 
> | > On Jan 14, 2019, at 17:56, Dirk Eddelbuettel <e...@debian.org> wrote:
> | > 
> | > 
> | > Hi Evan,
> | > 
> | > On 14 January 2019 at 23:32, Moritz Muehlenhoff wrote:
> | > | Package: r-cran-readxl
> | > | Severity: important
> | > | Tags: security
> | > | 
> | > | These two libxls issues should affect r-cran-readxl:
> | > | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20450
> | > | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20452
> | > 
> | > These are both file as #34 and #35 at your GitHub repo, but I did not see 
> any
> 
> s/file/filed/  -- sorry
> 
> | > follow-up.  I presume this is similar to the last time that the issue 
> really
> | > stems from the underlying C parser library?  Any idea how long it may take
> | > until we have a fix?
> | > 
> | > Courtesy to Jenny who via readxl 'upstream' is the real maintainer for
> | > the
> 
> s/Courtesy/Courtesy CC/ -- sorry
> 
> | > CRAN package I mostly just wrap up for Debian.
> | > 
> | > Best,  Dirk
> | > 
> | > | Cheers,
> | > |         Moritz
> | > 
> | > -- 
> | > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
> | 
> 
> -- 
> http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Reply via email to