I'll still wait a bit to see if libxls can get to an official release soon.
But readxl builds and passes tests everywhere with the current libxls, so that's good news: https://github.com/tidyverse/readxl/pull/543 -- Jenny On Sat, Jan 26, 2019 at 7:23 AM Evan Miller <emmil...@gmail.com> wrote: > > > On Jan 26, 2019, at 10:05, Dirk Eddelbuettel <e...@debian.org> wrote: > > > > > > On 24 January 2019 at 19:54, Evan Miller wrote: > > | > > | > On Jan 24, 2019, at 19:10, Dirk Eddelbuettel <e...@debian.org> wrote: > > | > > > | > > > | > On 24 January 2019 at 16:36, Evan Miller wrote: > > | > | > > | > | > On Jan 23, 2019, at 01:16, Evan Miller <emmil...@gmail.com> > wrote: > > | > | > > > | > | > #34 and #35 have returned from the dead on GitHub. I’ll take a > closer look later this week. > > | > | > > > | > | > Evan > > | > | > > | > | > > | > | OK — I can confirm that all of the reported libxls bugs are fixed. > > | > > > | > As in: in the current libxls GH version? I can make a patched Debian > > | > release of that. > > | > > | Yes, they are fixed in master on GitHub. Note that there are quite a > few changes since 1.4 – I can’t promise that master has ABI compatibility > with the last official 1.4 release. But if you compile the new sources > using the old headers (or diff and merge manually) I don’t think there will > be an issue on that front. > > > > Maybe Jenny could take a look? > > > > It is her use of your library in her package that I stand behind for > Debian. > > Ah, okay, then the ABI doesn’t matter. I had assumed you were packaging > libxls as a runtime library + development headers. > > > > > Thanks for all your diligent work on this. It is great to see this move > in > > the right ("fuzzing") direction. > > Long overdue! :-) > > Evan > > > > > Dirk > > > > | Evan > > | > > | > > > | > | I have successfully integrated libxls into OSS-Fuzz, and have > added the researcher’s test files to the fuzzing corpus, so that this and > related issues should be caught by the address sanitizer in the future. > > | > | > > | > | OSS-Fuzz has turned up a number of other issues. I will plan to do > a release when they are all addressed. > > | > > > | > That is awesome. > > | > > > | > Thank you, Dirk > > | > > > | > | Evan > > | > | > > | > | > > > | > | >> On Jan 15, 2019, at 14:12, Moritz Muehlenhoff <j...@inutil.org > <mailto:j...@inutil.org>> wrote: > > | > | >> > > | > | >> On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel > wrote: > > | > | >>> > > | > | >>> Hi Evan, > > | > | >>> > > | > | >>> On 15 January 2019 at 11:18, Evan Miller wrote: > > | > | >>> | > > | > | >>> | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff < > j...@inutil.org <mailto:j...@inutil.org>> wrote: > > | > | >>> | > > > | > | >>> | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller > wrote: > > | > | >>> | >> Oddly, all four issues (#34, #35, #36, #37) seem to have > disappeared from GitHub. I don’t know if the original reporter intended to > close them, or what. > > | > | >>> | >> > > | > | >>> | >> I have an email copy of #34 but do not have access to the > PoC files. So without the cooperation of the reporter (Zhao Liang, Huawei > Weiran Labs) my ability to research will be limited. > > | > | >>> | > > > | > | >>> | > That's really strange, do you have the mail address of > Zhao, could you ask him what happened? > > | > | >>> | > > | > | >>> | His address may be leon.zha...@gmail.com <mailto: > leon.zha...@gmail.com> - I’ll try it. His GitHub profile is now a 404. > > | > | >>> | > > | > | >>> | > > > | > | >>> | > MITRE doesn't archive security content per se, they only > deal with the organisation and assignment > > | > | >>> | > of numbers. The Internet Archive's Wayback machine also > hasn't archived the Github pages. > > | > | >>> | > > > | > | >>> | > Cheers, > > | > | >>> | > Moritz > > | > | >>> | > > | > | >>> | > > | > | >>> | Here are the Google caches of #34 and #35: > > | > | >>> | > > | > | >>> | > https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari > < > https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari > > > > | > | >>> | > > | > | >>> | > https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari > < > https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari > > > > | > | >>> | > > | > | >>> | The PoC links are dead. > > | > | >>> | > > | > | >>> | Looking at the backtraces and the commit fixing #36 and #37 ( > https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e > < > https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e>) > it is my belief that issues #34 and #35 are NOT fixed. > > | > | >>> | > > | > | >>> | I’ll look into them soon. > > | > | >>> > > | > | >>> You're awesome! Much appreciated. > > | > | >>> > > | > | >>> Moritz: Do you expect the CVE to puliverize too, or will it > remain active and > > | > | >>> open, but "simply" without any hard (public) evidence backing > it? > > | > | >> > > | > | >> No, they stick around, it sometimes happens that references > vanish, e.g. then hosting sites > > | > | >> go down (think of berlios or similar) > > | > | >> > > | > | >> Cheers, > > | > | >> Moritz > > | > | > > > | > | > > | > > > | > -- > > | > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org > > > > -- > > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org >
