On 14 January 2019 at 20:45, Evan Miller wrote: | Oddly, all four issues (#34, #35, #36, #37) seem to have disappeared from GitHub. I don’t know if the original reporter intended to close them, or what.
That is ... weird. | I have an email copy of #34 but do not have access to the PoC files. So without the cooperation of the reporter (Zhao Liang, Huawei Weiran Labs) my ability to research will be limited. Understood. Moritz: Any idea? Will the CVE end of things have copies? Dirk | Evan | | > On Jan 14, 2019, at 19:22, Dirk Eddelbuettel <e...@debian.org> wrote: | > | > | > Hi Evan, | > | > On 14 January 2019 at 19:03, Evan Miller wrote: | > | Hi Dirk, | > | | > | You are correct - these are issues with the underlying C library, the GitHub issues you referenced. I have not researched them specifically, but I recently fixed two issues (#36 and #37) that are possibly related: | > | | > | https://github.com/evanmiller/libxls/issues/36 <https://github.com/evanmiller/libxls/issues/36> | > | https://github.com/evanmiller/libxls/issues/37 <https://github.com/evanmiller/libxls/issues/37> | > | | > | I will look into #34 and #35 when I get a chance. | > | > Thanks for the prompt follow-up. Please keep us posted and abreast of any progress. | > | > Dirk | > | > | Evan | > | | > | > On Jan 14, 2019, at 17:56, Dirk Eddelbuettel <e...@debian.org> wrote: | > | > | > | > | > | > Hi Evan, | > | > | > | > On 14 January 2019 at 23:32, Moritz Muehlenhoff wrote: | > | > | Package: r-cran-readxl | > | > | Severity: important | > | > | Tags: security | > | > | | > | > | These two libxls issues should affect r-cran-readxl: | > | > | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20450 | > | > | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20452 | > | > | > | > These are both file as #34 and #35 at your GitHub repo, but I did not see any | > | > s/file/filed/ -- sorry | > | > | > follow-up. I presume this is similar to the last time that the issue really | > | > stems from the underlying C parser library? Any idea how long it may take | > | > until we have a fix? | > | > | > | > Courtesy to Jenny who via readxl 'upstream' is the real maintainer for | > | > the | > | > s/Courtesy/Courtesy CC/ -- sorry | > | > | > CRAN package I mostly just wrap up for Debian. | > | > | > | > Best, Dirk | > | > | > | > | Cheers, | > | > | Moritz | > | > | > | > -- | > | > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org | > | | > | > -- | > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org | -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
