Hi Evan,
On 15 January 2019 at 11:18, Evan Miller wrote: | | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff <j...@inutil.org> wrote: | > | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller wrote: | >> Oddly, all four issues (#34, #35, #36, #37) seem to have disappeared from GitHub. I don’t know if the original reporter intended to close them, or what. | >> | >> I have an email copy of #34 but do not have access to the PoC files. So without the cooperation of the reporter (Zhao Liang, Huawei Weiran Labs) my ability to research will be limited. | > | > That's really strange, do you have the mail address of Zhao, could you ask him what happened? | | His address may be leon.zha...@gmail.com - I’ll try it. His GitHub profile is now a 404. | | > | > MITRE doesn't archive security content per se, they only deal with the organisation and assignment | > of numbers. The Internet Archive's Wayback machine also hasn't archived the Github pages. | > | > Cheers, | > Moritz | | | Here are the Google caches of #34 and #35: | | https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari | | https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari | | The PoC links are dead. | | Looking at the backtraces and the commit fixing #36 and #37 (https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e) it is my belief that issues #34 and #35 are NOT fixed. | | I’ll look into them soon. You're awesome! Much appreciated. Moritz: Do you expect the CVE to puliverize too, or will it remain active and open, but "simply" without any hard (public) evidence backing it? Dirk | Evan | | -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
