Bug#919324: CVE-2018-20450 CVE-2018-20452

Tue, 15 Jan 2019 11:15:49 -0800 

On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel wrote:
> 
> Hi Evan,
> 
> On 15 January 2019 at 11:18, Evan Miller wrote:
> | 
> | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff <j...@inutil.org> wrote:
> | > 
> | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller wrote:
> | >> Oddly, all four issues (#34, #35, #36, #37) seem to have disappeared 
> from GitHub. I don’t know if the original reporter intended to close them, or 
> what.
> | >> 
> | >> I have an email copy of #34 but do not have access to the PoC files. So 
> without the cooperation of the reporter (Zhao Liang, Huawei Weiran Labs) my 
> ability to research will be limited.
> | > 
> | > That's really strange, do you have the mail address of Zhao, could you 
> ask him what happened?
> | 
> | His address may be leon.zha...@gmail.com - I’ll try it. His GitHub profile 
> is now a 404.
> | 
> | > 
> | > MITRE doesn't archive security content per se, they only deal with the 
> organisation and assignment
> | > of numbers. The Internet Archive's Wayback machine also hasn't archived 
> the Github pages.
> | > 
> | > Cheers,
> | >        Moritz
> | 
> | 
> | Here are the Google caches of #34 and #35:
> | 
> | 
> https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari
> | 
> | 
> https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari
> | 
> | The PoC links are dead.
> | 
> | Looking at the backtraces and the commit fixing #36 and #37 
> (https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e)
>  it is my belief that issues #34 and #35 are NOT fixed.
> | 
> | I’ll look into them soon.
> 
> You're awesome!  Much appreciated.
> 
> Moritz: Do you expect the CVE to puliverize too, or will it remain active and
> open, but "simply" without any hard (public) evidence backing it?

No, they stick around, it sometimes happens that references vanish, e.g. then 
hosting sites
go down (think of berlios or similar)

Cheers,
        Moritz

Reply via email to