Thanks for the update and fixes, Evan! What sort of timeframe do you have in mind re: your official release?
That affects how I think about timing a readxl release. I don't do them lightly but also want to get the fixes that address the CVEs into readxl sooner rather than later. -- Jenny On Thu, Jan 24, 2019 at 1:36 PM Evan Miller <emmil...@gmail.com> wrote: > > On Jan 23, 2019, at 01:16, Evan Miller <emmil...@gmail.com> wrote: > > #34 and #35 have returned from the dead on GitHub. I’ll take a closer look > later this week. > > Evan > > > > OK — I can confirm that all of the reported libxls bugs are fixed. I have > successfully integrated libxls into OSS-Fuzz, and have added the > researcher’s test files to the fuzzing corpus, so that this and related > issues should be caught by the address sanitizer in the future. > > OSS-Fuzz has turned up a number of other issues. I will plan to do a > release when they are all addressed. > > Evan > > > On Jan 15, 2019, at 14:12, Moritz Muehlenhoff <j...@inutil.org> wrote: > > On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel wrote: > > > Hi Evan, > > On 15 January 2019 at 11:18, Evan Miller wrote: > | > | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff <j...@inutil.org> wrote: > | > > | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller wrote: > | >> Oddly, all four issues (#34, #35, #36, #37) seem to have disappeared > from GitHub. I don’t know if the original reporter intended to close them, > or what. > | >> > | >> I have an email copy of #34 but do not have access to the PoC files. > So without the cooperation of the reporter (Zhao Liang, Huawei Weiran Labs) > my ability to research will be limited. > | > > | > That's really strange, do you have the mail address of Zhao, could you > ask him what happened? > | > | His address may be leon.zha...@gmail.com - I’ll try it. His GitHub > profile is now a 404. > | > | > > | > MITRE doesn't archive security content per se, they only deal with the > organisation and assignment > | > of numbers. The Internet Archive's Wayback machine also hasn't > archived the Github pages. > | > > | > Cheers, > | > Moritz > | > | > | Here are the Google caches of #34 and #35: > | > | > https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari > | > | > https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari > | > | The PoC links are dead. > | > | Looking at the backtraces and the commit fixing #36 and #37 ( > https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e) > it is my belief that issues #34 and #35 are NOT fixed. > | > | I’ll look into them soon. > > You're awesome! Much appreciated. > > Moritz: Do you expect the CVE to puliverize too, or will it remain active > and > open, but "simply" without any hard (public) evidence backing it? > > > No, they stick around, it sometimes happens that references vanish, e.g. > then hosting sites > go down (think of berlios or similar) > > Cheers, > Moritz > > > >
