#34 and #35 have returned from the dead on GitHub. I’ll take a closer look later this week.
Evan > On Jan 15, 2019, at 14:12, Moritz Muehlenhoff <j...@inutil.org> wrote: > > On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel wrote: >> >> Hi Evan, >> >> On 15 January 2019 at 11:18, Evan Miller wrote: >> | >> | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff <j...@inutil.org> wrote: >> | > >> | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller wrote: >> | >> Oddly, all four issues (#34, #35, #36, #37) seem to have disappeared >> from GitHub. I don’t know if the original reporter intended to close them, >> or what. >> | >> >> | >> I have an email copy of #34 but do not have access to the PoC files. So >> without the cooperation of the reporter (Zhao Liang, Huawei Weiran Labs) my >> ability to research will be limited. >> | > >> | > That's really strange, do you have the mail address of Zhao, could you >> ask him what happened? >> | >> | His address may be leon.zha...@gmail.com - I’ll try it. His GitHub profile >> is now a 404. >> | >> | > >> | > MITRE doesn't archive security content per se, they only deal with the >> organisation and assignment >> | > of numbers. The Internet Archive's Wayback machine also hasn't archived >> the Github pages. >> | > >> | > Cheers, >> | > Moritz >> | >> | >> | Here are the Google caches of #34 and #35: >> | >> | >> https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari >> | >> | >> https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari >> | >> | The PoC links are dead. >> | >> | Looking at the backtraces and the commit fixing #36 and #37 >> (https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e) >> it is my belief that issues #34 and #35 are NOT fixed. >> | >> | I’ll look into them soon. >> >> You're awesome! Much appreciated. >> >> Moritz: Do you expect the CVE to puliverize too, or will it remain active and >> open, but "simply" without any hard (public) evidence backing it? > > No, they stick around, it sometimes happens that references vanish, e.g. then > hosting sites > go down (think of berlios or similar) > > Cheers, > Moritz
