On 12 June 2026 at 10:46, Jenny Bryan wrote:
| Hi Dirk,
| 
| I do follow the libxls repo in a very passive manner, so presumably my
| eyeballs have been exposed to this.
| 
| But, no, I haven't got a true open issue about it, in the literal or
| metaphorical sense, nor have I corresponded with Evan.
| 
| Will you open a readxl issue stating that it's creating issues for you
| on Debian? That at least puts it on my radar.

Done, as you likely saw. Now at https://github.com/tidyverse/readxl/issues/795

Dirk
 
| Thanks, Jenny
| 
| On Fri, Jun 12, 2026 at 8:18 AM Dirk Eddelbuettel <[email protected]> wrote:
| >
| >
| > Hi Jenny,
| >
| > Just like a few years ago, there appears to a (pair of) new CVE(s) for
| > readxl.
| >
| > Can I assume you will deal with this at the CRAN package level? The GH 
issues
| > linked below were opened quite some time ago, and there is no follow-up from
| > Evan I can see :-/  Have you been in contact with him?
| >
| > Cheers, Dirk
| >
| > On 12 June 2026 at 16:16, Moritz Mühlenhoff wrote:
| > | Source: r-cran-readxl
| > | X-Debbugs-CC: [email protected]
| > | Severity: important
| > | Tags: security
| > |
| > | Hi,
| > |
| > | The following vulnerabilities were published for libxls, which is
| > | part of r-cran-readxl:
| > |
| > | CVE-2026-26824[0]:
| > | | libxls through version 1.6.3 contains a use of uninitialized memory
| > | | vulnerability in the OLE container parser. Memory allocated for the
| > | | Master Sector Allocation Table (MSAT) in read_MSAT() is not fully
| > | | initialized before being consumed by ole2_validate_sector_chain(),
| > | | which may result in application crashes or potential information
| > | | disclosure when processing a crafted XLS file
| > |
| > | https://github.com/libxls/libxls/issues/156
| > |
| > |
| > | CVE-2026-26825[1]:
| > | | A use-of-uninitialized memory vulnerability exists in libxls 1.6.3
| > | | when parsing malformed XLS files. The issue is reachable via
| > | | xls_parseWorkBook() and is triggered by uninitialized heap memory
| > | | originating from the OLE layer (ole2_read). The flaw is detectable
| > | | with MemorySanitizer (MSAN) and can lead to undefined behavior,
| > | | incorrect parsing logic, or potential information disclosure.
| > |
| > | https://github.com/libxls/libxls/issues/155
| > |
| > |
| > | If you fix the vulnerabilities please also make sure to include the
| > | CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
| > |
| > | For further information see:
| > |
| > | [0] https://security-tracker.debian.org/tracker/CVE-2026-26824
| > |     https://www.cve.org/CVERecord?id=CVE-2026-26824
| > | [1] https://security-tracker.debian.org/tracker/CVE-2026-26825
| > |     https://www.cve.org/CVERecord?id=CVE-2026-26825
| > |
| > | Please adjust the affected versions in the BTS as needed.
| >
| > --
| > Dirk Eddelbuettel | [email protected] | http://dirk.eddelbuettel.com
| >
| > Support my Tour de Shore 2026 ride benefiting Maywood Fine Arts! More info 
at
| > https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_2026

-- 
Dirk Eddelbuettel | [email protected] | http://dirk.eddelbuettel.com

Support my Tour de Shore 2026 ride benefiting Maywood Fine Arts! More info at
https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_2026

Reply via email to