> On Jan 26, 2019, at 23:09, Dirk Eddelbuettel <e...@debian.org> wrote: > > > On 26 January 2019 at 15:59, Jennifer Bryan wrote: > | I'll still wait a bit to see if libxls can get to an official release soon. > | > | But readxl builds and passes tests everywhere with the current libxls, so > | that's good news: > | > | https://github.com/tidyverse/readxl/pull/543 > > Nice -- should I fold that into an interim release to address the CVE? > I can then follow-up with real release whenever you push to CRAN.
This would be fine from my end. I am hunting down one last hang identified by OSS-Fuzz (I.e. potential denial of service), but the CVEs, buffer overruns, and memory leaks are all fixed in Jenny’s pull request. Evan > > Dirk > > | -- Jenny > | > | On Sat, Jan 26, 2019 at 7:23 AM Evan Miller <emmil...@gmail.com> wrote: > | > | > > | > > On Jan 26, 2019, at 10:05, Dirk Eddelbuettel <e...@debian.org> wrote: > | > > > | > > > | > > On 24 January 2019 at 19:54, Evan Miller wrote: > | > > | > | > > | > On Jan 24, 2019, at 19:10, Dirk Eddelbuettel <e...@debian.org> > wrote: > | > > | > > | > > | > > | > > | > On 24 January 2019 at 16:36, Evan Miller wrote: > | > > | > | > | > > | > | > On Jan 23, 2019, at 01:16, Evan Miller <emmil...@gmail.com> > | > wrote: > | > > | > | > > | > > | > | > #34 and #35 have returned from the dead on GitHub. I’ll take a > | > closer look later this week. > | > > | > | > > | > > | > | > Evan > | > > | > | > | > > | > | > | > > | > | OK — I can confirm that all of the reported libxls bugs are fixed. > | > > | > > | > > | > As in: in the current libxls GH version? I can make a patched > Debian > | > > | > release of that. > | > > | > | > > | Yes, they are fixed in master on GitHub. Note that there are quite a > | > few changes since 1.4 – I can’t promise that master has ABI compatibility > | > with the last official 1.4 release. But if you compile the new sources > | > using the old headers (or diff and merge manually) I don’t think there > will > | > be an issue on that front. > | > > > | > > Maybe Jenny could take a look? > | > > > | > > It is her use of your library in her package that I stand behind for > | > Debian. > | > > | > Ah, okay, then the ABI doesn’t matter. I had assumed you were packaging > | > libxls as a runtime library + development headers. > | > > | > > > | > > Thanks for all your diligent work on this. It is great to see this move > | > in > | > > the right ("fuzzing") direction. > | > > | > Long overdue! :-) > | > > | > Evan > | > > | > > > | > > Dirk > | > > > | > > | Evan > | > > | > | > > | > > | > > | > | I have successfully integrated libxls into OSS-Fuzz, and have > | > added the researcher’s test files to the fuzzing corpus, so that this and > | > related issues should be caught by the address sanitizer in the future. > | > > | > | > | > > | > | OSS-Fuzz has turned up a number of other issues. I will plan to do > | > a release when they are all addressed. > | > > | > > | > > | > That is awesome. > | > > | > > | > > | > Thank you, Dirk > | > > | > > | > > | > | Evan > | > > | > | > | > > | > | > > | > > | > | >> On Jan 15, 2019, at 14:12, Moritz Muehlenhoff <j...@inutil.org > | > <mailto:j...@inutil.org>> wrote: > | > > | > | >> > | > > | > | >> On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel > | > wrote: > | > > | > | >>> > | > > | > | >>> Hi Evan, > | > > | > | >>> > | > > | > | >>> On 15 January 2019 at 11:18, Evan Miller wrote: > | > > | > | >>> | > | > > | > | >>> | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff < > | > j...@inutil.org <mailto:j...@inutil.org>> wrote: > | > > | > | >>> | > > | > > | > | >>> | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller > | > wrote: > | > > | > | >>> | >> Oddly, all four issues (#34, #35, #36, #37) seem to have > | > disappeared from GitHub. I don’t know if the original reporter intended to > | > close them, or what. > | > > | > | >>> | >> > | > > | > | >>> | >> I have an email copy of #34 but do not have access to the > | > PoC files. So without the cooperation of the reporter (Zhao Liang, Huawei > | > Weiran Labs) my ability to research will be limited. > | > > | > | >>> | > > | > > | > | >>> | > That's really strange, do you have the mail address of > | > Zhao, could you ask him what happened? > | > > | > | >>> | > | > > | > | >>> | His address may be leon.zha...@gmail.com <mailto: > | > leon.zha...@gmail.com> - I’ll try it. His GitHub profile is now a 404. > | > > | > | >>> | > | > > | > | >>> | > > | > > | > | >>> | > MITRE doesn't archive security content per se, they only > | > deal with the organisation and assignment > | > > | > | >>> | > of numbers. The Internet Archive's Wayback machine also > | > hasn't archived the Github pages. > | > > | > | >>> | > > | > > | > | >>> | > Cheers, > | > > | > | >>> | > Moritz > | > > | > | >>> | > | > > | > | >>> | > | > > | > | >>> | Here are the Google caches of #34 and #35: > | > > | > | >>> | > | > > | > | >>> | > | > > https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari > | > < > | > > https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari > | > > > | > > | > | >>> | > | > > | > | >>> | > | > > https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari > | > < > | > > https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari > | > > > | > > | > | >>> | > | > > | > | >>> | The PoC links are dead. > | > > | > | >>> | > | > > | > | >>> | Looking at the backtraces and the commit fixing #36 and #37 > ( > | > > https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e > | > < > | > > https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e>) > | > it is my belief that issues #34 and #35 are NOT fixed. > | > > | > | >>> | > | > > | > | >>> | I’ll look into them soon. > | > > | > | >>> > | > > | > | >>> You're awesome! Much appreciated. > | > > | > | >>> > | > > | > | >>> Moritz: Do you expect the CVE to puliverize too, or will it > | > remain active and > | > > | > | >>> open, but "simply" without any hard (public) evidence backing > | > it? > | > > | > | >> > | > > | > | >> No, they stick around, it sometimes happens that references > | > vanish, e.g. then hosting sites > | > > | > | >> go down (think of berlios or similar) > | > > | > | >> > | > > | > | >> Cheers, > | > > | > | >> Moritz > | > > | > | > > | > > | > | > | > > | > > | > > | > -- > | > > | > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org > | > > > | > > -- > | > > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org > | > > > -- > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org