On 24 January 2019 at 16:36, Evan Miller wrote: | | > On Jan 23, 2019, at 01:16, Evan Miller <emmil...@gmail.com> wrote: | > | > #34 and #35 have returned from the dead on GitHub. I’ll take a closer look later this week. | > | > Evan | | | OK — I can confirm that all of the reported libxls bugs are fixed.
As in: in the current libxls GH version? I can make a patched Debian release of that. | I have successfully integrated libxls into OSS-Fuzz, and have added the researcher’s test files to the fuzzing corpus, so that this and related issues should be caught by the address sanitizer in the future. | | OSS-Fuzz has turned up a number of other issues. I will plan to do a release when they are all addressed. That is awesome. Thank you, Dirk | Evan | | > | >> On Jan 15, 2019, at 14:12, Moritz Muehlenhoff <j...@inutil.org <mailto:j...@inutil.org>> wrote: | >> | >> On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel wrote: | >>> | >>> Hi Evan, | >>> | >>> On 15 January 2019 at 11:18, Evan Miller wrote: | >>> | | >>> | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff <j...@inutil.org <mailto:j...@inutil.org>> wrote: | >>> | > | >>> | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller wrote: | >>> | >> Oddly, all four issues (#34, #35, #36, #37) seem to have disappeared from GitHub. I don’t know if the original reporter intended to close them, or what. | >>> | >> | >>> | >> I have an email copy of #34 but do not have access to the PoC files. So without the cooperation of the reporter (Zhao Liang, Huawei Weiran Labs) my ability to research will be limited. | >>> | > | >>> | > That's really strange, do you have the mail address of Zhao, could you ask him what happened? | >>> | | >>> | His address may be leon.zha...@gmail.com <mailto:leon.zha...@gmail.com> - I’ll try it. His GitHub profile is now a 404. | >>> | | >>> | > | >>> | > MITRE doesn't archive security content per se, they only deal with the organisation and assignment | >>> | > of numbers. The Internet Archive's Wayback machine also hasn't archived the Github pages. | >>> | > | >>> | > Cheers, | >>> | > Moritz | >>> | | >>> | | >>> | Here are the Google caches of #34 and #35: | >>> | | >>> | https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari <https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari> | >>> | | >>> | https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari <https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari> | >>> | | >>> | The PoC links are dead. | >>> | | >>> | Looking at the backtraces and the commit fixing #36 and #37 (https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e <https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e>) it is my belief that issues #34 and #35 are NOT fixed. | >>> | | >>> | I’ll look into them soon. | >>> | >>> You're awesome! Much appreciated. | >>> | >>> Moritz: Do you expect the CVE to puliverize too, or will it remain active and | >>> open, but "simply" without any hard (public) evidence backing it? | >> | >> No, they stick around, it sometimes happens that references vanish, e.g. then hosting sites | >> go down (think of berlios or similar) | >> | >> Cheers, | >> Moritz | > | -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org