On 24 January 2019 at 19:54, Evan Miller wrote:
|
| > On Jan 24, 2019, at 19:10, Dirk Eddelbuettel <e...@debian.org> wrote:
| >
| >
| > On 24 January 2019 at 16:36, Evan Miller wrote:
| > |
| > | > On Jan 23, 2019, at 01:16, Evan Miller <emmil...@gmail.com> wrote:
| > | >
| > | > #34 and #35 have returned from the dead on GitHub. I’ll take a closer
look later this week.
| > | >
| > | > Evan
| > |
| > |
| > | OK — I can confirm that all of the reported libxls bugs are fixed.
| >
| > As in: in the current libxls GH version? I can make a patched Debian
| > release of that.
|
| Yes, they are fixed in master on GitHub. Note that there are quite a few
changes since 1.4 – I can’t promise that master has ABI compatibility with the
last official 1.4 release. But if you compile the new sources using the old
headers (or diff and merge manually) I don’t think there will be an issue on
that front.
Maybe Jenny could take a look?
It is her use of your library in her package that I stand behind for Debian.
Thanks for all your diligent work on this. It is great to see this move in
the right ("fuzzing") direction.
Dirk
| Evan
|
| >
| > | I have successfully integrated libxls into OSS-Fuzz, and have added the
researcher’s test files to the fuzzing corpus, so that this and related issues
should be caught by the address sanitizer in the future.
| > |
| > | OSS-Fuzz has turned up a number of other issues. I will plan to do a
release when they are all addressed.
| >
| > That is awesome.
| >
| > Thank you, Dirk
| >
| > | Evan
| > |
| > | >
| > | >> On Jan 15, 2019, at 14:12, Moritz Muehlenhoff <j...@inutil.org
<mailto:j...@inutil.org>> wrote:
| > | >>
| > | >> On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel wrote:
| > | >>>
| > | >>> Hi Evan,
| > | >>>
| > | >>> On 15 January 2019 at 11:18, Evan Miller wrote:
| > | >>> |
| > | >>> | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff <j...@inutil.org
<mailto:j...@inutil.org>> wrote:
| > | >>> | >
| > | >>> | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller wrote:
| > | >>> | >> Oddly, all four issues (#34, #35, #36, #37) seem to have
disappeared from GitHub. I don’t know if the original reporter intended to
close them, or what.
| > | >>> | >>
| > | >>> | >> I have an email copy of #34 but do not have access to the PoC
files. So without the cooperation of the reporter (Zhao Liang, Huawei Weiran
Labs) my ability to research will be limited.
| > | >>> | >
| > | >>> | > That's really strange, do you have the mail address of Zhao,
could you ask him what happened?
| > | >>> |
| > | >>> | His address may be leon.zha...@gmail.com
<mailto:leon.zha...@gmail.com> - I’ll try it. His GitHub profile is now a 404.
| > | >>> |
| > | >>> | >
| > | >>> | > MITRE doesn't archive security content per se, they only deal
with the organisation and assignment
| > | >>> | > of numbers. The Internet Archive's Wayback machine also hasn't
archived the Github pages.
| > | >>> | >
| > | >>> | > Cheers,
| > | >>> | > Moritz
| > | >>> |
| > | >>> |
| > | >>> | Here are the Google caches of #34 and #35:
| > | >>> |
| > | >>> |
https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari
<https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari>
| > | >>> |
| > | >>> |
https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari
<https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari>
| > | >>> |
| > | >>> | The PoC links are dead.
| > | >>> |
| > | >>> | Looking at the backtraces and the commit fixing #36 and #37
(https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e
<https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e>)
it is my belief that issues #34 and #35 are NOT fixed.
| > | >>> |
| > | >>> | I’ll look into them soon.
| > | >>>
| > | >>> You're awesome! Much appreciated.
| > | >>>
| > | >>> Moritz: Do you expect the CVE to puliverize too, or will it remain
active and
| > | >>> open, but "simply" without any hard (public) evidence backing it?
| > | >>
| > | >> No, they stick around, it sometimes happens that references vanish,
e.g. then hosting sites
| > | >> go down (think of berlios or similar)
| > | >>
| > | >> Cheers,
| > | >> Moritz
| > | >
| > |
| >
| > --
| > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
--
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
