I will kick off my process then. Will you do something nice and official re: a release and I should keep my eyes open for it? Or am I rolling on my own schedule now, knowing that I am embedding a libxls release in the moral sense?
-- Jenny On Tue, Jan 29, 2019 at 11:38 AM Evan Miller <emmil...@gmail.com> wrote: > Thanks Jenny. In that case I am not planning any additional code changes, > just documentation and maybe tweaks to the build scripts. > > Sent from my iPad > > On Jan 29, 2019, at 11:47, Jennifer Bryan <jenny.f.br...@gmail.com> wrote: > > Yes, all is good. I had pulled libxls again yesterday after you merged > your PR and readxl still passes checks on all platforms. > > https://github.com/tidyverse/readxl/pull/543 > > -- Jenny > > On Tue, Jan 29, 2019 at 7:31 AM Evan Miller <emmil...@gmail.com> wrote: > >> All issues identified by OSS-Fuzz are now fixed in libxls master. @Jenny >> if the code passes your readxl tests I will begin preparing a 1.5 release >> candidate. >> >> In other news, I heard back from the researcher who initially reported >> the issues. His GitHub account was marked as spam, which explains why the >> issues he filed disappeared without warning. >> >> Sent from my iPad >> >> > On Jan 27, 2019, at 10:27, Dirk Eddelbuettel <e...@debian.org> wrote: >> > >> > >> > On 27 January 2019 at 09:25, Evan Miller wrote: >> > | >> > | > On Jan 26, 2019, at 23:09, Dirk Eddelbuettel <e...@debian.org> >> wrote: >> > | > >> > | > >> > | > On 26 January 2019 at 15:59, Jennifer Bryan wrote: >> > | > | I'll still wait a bit to see if libxls can get to an official >> release soon. >> > | > | >> > | > | But readxl builds and passes tests everywhere with the current >> libxls, so >> > | > | that's good news: >> > | > | >> > | > | https://github.com/tidyverse/readxl/pull/543 >> > | > >> > | > Nice -- should I fold that into an interim release to address the >> CVE? >> > | > I can then follow-up with real release whenever you push to CRAN. >> > | >> > | This would be fine from my end. I am hunting down one last hang >> identified by OSS-Fuzz (I.e. potential denial of service), but the CVEs, >> buffer overruns, and memory leaks are all fixed in Jenny’s pull request. >> > >> > Ok I did the easy part: updating our current package (based on Jenny's >> readxl >> > 1.2.0 from December 2018) to her current dev branch with your updates. >> The >> > delta is small and clean so that was no work. In Debian unstable now. >> > >> > And I then bravely/foolishly attempted the harder part of backporting >> to the >> > (old !!) version in stable. Turns out it was not so bad and similar to >> the >> > fix in April -- I updated the relevant files 'en block': >> > >> > edd@rob:~/temp-sec$ diff -rq r-cran-readxl-0.1.1.orig/ >> r-cran-readxl-0.1.1 >> > Files r-cran-readxl-0.1.1.orig/src/libxls/ole.h and >> r-cran-readxl-0.1.1/src/libxls/ole.h differ >> > Files r-cran-readxl-0.1.1.orig/src/libxls/xlstool.h and >> r-cran-readxl-0.1.1/src/libxls/xlstool.h differ >> > Files r-cran-readxl-0.1.1.orig/src/ole.c and >> r-cran-readxl-0.1.1/src/ole.c differ >> > Files r-cran-readxl-0.1.1.orig/src/xls.c and >> r-cran-readxl-0.1.1/src/xls.c differ >> > Files r-cran-readxl-0.1.1.orig/src/xlstool.c and >> r-cran-readxl-0.1.1/src/xlstool.c differ >> > edd@rob:~/temp-sec$ >> > >> > I do get a segfault on the .xls example but _vaguely_ recall that we had >> > issue in April too. The "example(read_excel)" using the xlsx file >> works fine. >> > >> > Moritz: I'll proceed and send the required debdiff to security@d.o. I >> may >> > need to lean on you once again for 'process' as I don't do this all >> that often. >> > >> > Thanks everybody for the help, particularly Evan of course for the >> upstream >> > work, and also Jenny for the clean new branch. >> > >> > Dirk >> > >> > | Evan >> > | >> > | > >> > | > Dirk >> > | > >> > | > | -- Jenny >> > | > | >> > | > | On Sat, Jan 26, 2019 at 7:23 AM Evan Miller <emmil...@gmail.com> >> wrote: >> > | > | >> > | > | > >> > | > | > > On Jan 26, 2019, at 10:05, Dirk Eddelbuettel <e...@debian.org> >> wrote: >> > | > | > > >> > | > | > > >> > | > | > > On 24 January 2019 at 19:54, Evan Miller wrote: >> > | > | > > | >> > | > | > > | > On Jan 24, 2019, at 19:10, Dirk Eddelbuettel < >> e...@debian.org> wrote: >> > | > | > > | > >> > | > | > > | > >> > | > | > > | > On 24 January 2019 at 16:36, Evan Miller wrote: >> > | > | > > | > | >> > | > | > > | > | > On Jan 23, 2019, at 01:16, Evan Miller < >> emmil...@gmail.com> >> > | > | > wrote: >> > | > | > > | > | > >> > | > | > > | > | > #34 and #35 have returned from the dead on GitHub. >> I’ll take a >> > | > | > closer look later this week. >> > | > | > > | > | > >> > | > | > > | > | > Evan >> > | > | > > | > | >> > | > | > > | > | >> > | > | > > | > | OK — I can confirm that all of the reported libxls bugs >> are fixed. >> > | > | > > | > >> > | > | > > | > As in: in the current libxls GH version? I can make a >> patched Debian >> > | > | > > | > release of that. >> > | > | > > | >> > | > | > > | Yes, they are fixed in master on GitHub. Note that there >> are quite a >> > | > | > few changes since 1.4 – I can’t promise that master has ABI >> compatibility >> > | > | > with the last official 1.4 release. But if you compile the new >> sources >> > | > | > using the old headers (or diff and merge manually) I don’t >> think there will >> > | > | > be an issue on that front. >> > | > | > > >> > | > | > > Maybe Jenny could take a look? >> > | > | > > >> > | > | > > It is her use of your library in her package that I stand >> behind for >> > | > | > Debian. >> > | > | > >> > | > | > Ah, okay, then the ABI doesn’t matter. I had assumed you were >> packaging >> > | > | > libxls as a runtime library + development headers. >> > | > | > >> > | > | > > >> > | > | > > Thanks for all your diligent work on this. It is great to see >> this move >> > | > | > in >> > | > | > > the right ("fuzzing") direction. >> > | > | > >> > | > | > Long overdue! :-) >> > | > | > >> > | > | > Evan >> > | > | > >> > | > | > > >> > | > | > > Dirk >> > | > | > > >> > | > | > > | Evan >> > | > | > > | >> > | > | > > | > >> > | > | > > | > | I have successfully integrated libxls into OSS-Fuzz, >> and have >> > | > | > added the researcher’s test files to the fuzzing corpus, so >> that this and >> > | > | > related issues should be caught by the address sanitizer in the >> future. >> > | > | > > | > | >> > | > | > > | > | OSS-Fuzz has turned up a number of other issues. I will >> plan to do >> > | > | > a release when they are all addressed. >> > | > | > > | > >> > | > | > > | > That is awesome. >> > | > | > > | > >> > | > | > > | > Thank you, Dirk >> > | > | > > | > >> > | > | > > | > | Evan >> > | > | > > | > | >> > | > | > > | > | > >> > | > | > > | > | >> On Jan 15, 2019, at 14:12, Moritz Muehlenhoff < >> j...@inutil.org >> > | > | > <mailto:j...@inutil.org>> wrote: >> > | > | > > | > | >> >> > | > | > > | > | >> On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk >> Eddelbuettel >> > | > | > wrote: >> > | > | > > | > | >>> >> > | > | > > | > | >>> Hi Evan, >> > | > | > > | > | >>> >> > | > | > > | > | >>> On 15 January 2019 at 11:18, Evan Miller wrote: >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff < >> > | > | > j...@inutil.org <mailto:j...@inutil.org>> wrote: >> > | > | > > | > | >>> | > >> > | > | > > | > | >>> | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan >> Miller >> > | > | > wrote: >> > | > | > > | > | >>> | >> Oddly, all four issues (#34, #35, #36, #37) >> seem to have >> > | > | > disappeared from GitHub. I don’t know if the original reporter >> intended to >> > | > | > close them, or what. >> > | > | > > | > | >>> | >> >> > | > | > > | > | >>> | >> I have an email copy of #34 but do not have >> access to the >> > | > | > PoC files. So without the cooperation of the reporter (Zhao >> Liang, Huawei >> > | > | > Weiran Labs) my ability to research will be limited. >> > | > | > > | > | >>> | > >> > | > | > > | > | >>> | > That's really strange, do you have the mail >> address of >> > | > | > Zhao, could you ask him what happened? >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | His address may be leon.zha...@gmail.com <mailto: >> > | > | > leon.zha...@gmail.com> - I’ll try it. His GitHub profile is >> now a 404. >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | > >> > | > | > > | > | >>> | > MITRE doesn't archive security content per se, >> they only >> > | > | > deal with the organisation and assignment >> > | > | > > | > | >>> | > of numbers. The Internet Archive's Wayback >> machine also >> > | > | > hasn't archived the Github pages. >> > | > | > > | > | >>> | > >> > | > | > > | > | >>> | > Cheers, >> > | > | > > | > | >>> | > Moritz >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | Here are the Google caches of #34 and #35: >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | >> > | > | > >> https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari >> > | > | > < >> > | > | > >> https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari >> > | > | > > >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | >> > | > | > >> https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari >> > | > | > < >> > | > | > >> https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari >> > | > | > > >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | The PoC links are dead. >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | Looking at the backtraces and the commit fixing >> #36 and #37 ( >> > | > | > >> https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e >> > | > | > < >> > | > | > >> https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e >> >) >> > | > | > it is my belief that issues #34 and #35 are NOT fixed. >> > | > | > > | > | >>> | >> > | > | > > | > | >>> | I’ll look into them soon. >> > | > | > > | > | >>> >> > | > | > > | > | >>> You're awesome! Much appreciated. >> > | > | > > | > | >>> >> > | > | > > | > | >>> Moritz: Do you expect the CVE to puliverize too, or >> will it >> > | > | > remain active and >> > | > | > > | > | >>> open, but "simply" without any hard (public) >> evidence backing >> > | > | > it? >> > | > | > > | > | >> >> > | > | > > | > | >> No, they stick around, it sometimes happens that >> references >> > | > | > vanish, e.g. then hosting sites >> > | > | > > | > | >> go down (think of berlios or similar) >> > | > | > > | > | >> >> > | > | > > | > | >> Cheers, >> > | > | > > | > | >> Moritz >> > | > | > > | > | > >> > | > | > > | > | >> > | > | > > | > >> > | > | > > | > -- >> > | > | > > | > http://dirk.eddelbuettel.com | @eddelbuettel | >> e...@debian.org >> > | > | > > >> > | > | > > -- >> > | > | > > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org >> > | > | > >> > | > >> > | > -- >> > | > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org >> > >> > -- >> > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org >> >
