> On Jan 26, 2019, at 23:09, Dirk Eddelbuettel <e...@debian.org> wrote:
> 
> 
> On 26 January 2019 at 15:59, Jennifer Bryan wrote:
> | I'll still wait a bit to see if libxls can get to an official release soon.
> | 
> | But readxl builds and passes tests everywhere with the current libxls, so
> | that's good news:
> | 
> | https://github.com/tidyverse/readxl/pull/543
> 
> Nice -- should I fold that into an interim release to address the CVE?
> I can then follow-up with real release whenever you push to CRAN.

This would be fine from my end. I am hunting down one last hang identified by 
OSS-Fuzz (I.e. potential denial of service), but the CVEs, buffer overruns, and 
memory leaks are all fixed in Jenny’s pull request.

Evan

> 
> Dirk
> 
> | -- Jenny
> | 
> | On Sat, Jan 26, 2019 at 7:23 AM Evan Miller <emmil...@gmail.com> wrote:
> | 
> | >
> | > > On Jan 26, 2019, at 10:05, Dirk Eddelbuettel <e...@debian.org> wrote:
> | > >
> | > >
> | > > On 24 January 2019 at 19:54, Evan Miller wrote:
> | > > |
> | > > | > On Jan 24, 2019, at 19:10, Dirk Eddelbuettel <e...@debian.org> 
> wrote:
> | > > | >
> | > > | >
> | > > | > On 24 January 2019 at 16:36, Evan Miller wrote:
> | > > | > |
> | > > | > | > On Jan 23, 2019, at 01:16, Evan Miller <emmil...@gmail.com>
> | > wrote:
> | > > | > | >
> | > > | > | > #34 and #35 have returned from the dead on GitHub. I’ll take a
> | > closer look later this week.
> | > > | > | >
> | > > | > | > Evan
> | > > | > |
> | > > | > |
> | > > | > | OK — I can confirm that all of the reported libxls bugs are fixed.
> | > > | >
> | > > | > As in: in the current libxls GH version?  I can make a patched 
> Debian
> | > > | > release of that.
> | > > |
> | > > | Yes, they are fixed in master on GitHub. Note that there are quite a
> | > few changes since 1.4 – I can’t promise that master has ABI compatibility
> | > with the last official 1.4 release. But if you compile the new sources
> | > using the old headers (or diff and merge manually) I don’t think there 
> will
> | > be an issue on that front.
> | > >
> | > > Maybe Jenny could take a look?
> | > >
> | > > It is her use of your library in her package that I stand behind for
> | > Debian.
> | >
> | > Ah, okay, then the ABI doesn’t matter. I had assumed you were packaging
> | > libxls as a runtime library + development headers.
> | >
> | > >
> | > > Thanks for all your diligent work on this. It is great to see this move
> | > in
> | > > the right ("fuzzing") direction.
> | >
> | > Long overdue! :-)
> | >
> | > Evan
> | >
> | > >
> | > > Dirk
> | > >
> | > > | Evan
> | > > |
> | > > | >
> | > > | > | I have successfully integrated libxls into OSS-Fuzz, and have
> | > added the researcher’s test files to the fuzzing corpus, so that this and
> | > related issues should be caught by the address sanitizer in the future.
> | > > | > |
> | > > | > | OSS-Fuzz has turned up a number of other issues. I will plan to do
> | > a release when they are all addressed.
> | > > | >
> | > > | > That is awesome.
> | > > | >
> | > > | > Thank you,  Dirk
> | > > | >
> | > > | > | Evan
> | > > | > |
> | > > | > | >
> | > > | > | >> On Jan 15, 2019, at 14:12, Moritz Muehlenhoff <j...@inutil.org
> | > <mailto:j...@inutil.org>> wrote:
> | > > | > | >>
> | > > | > | >> On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel
> | > wrote:
> | > > | > | >>>
> | > > | > | >>> Hi Evan,
> | > > | > | >>>
> | > > | > | >>> On 15 January 2019 at 11:18, Evan Miller wrote:
> | > > | > | >>> |
> | > > | > | >>> | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff <
> | > j...@inutil.org <mailto:j...@inutil.org>> wrote:
> | > > | > | >>> | >
> | > > | > | >>> | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller
> | > wrote:
> | > > | > | >>> | >> Oddly, all four issues (#34, #35, #36, #37) seem to have
> | > disappeared from GitHub. I don’t know if the original reporter intended to
> | > close them, or what.
> | > > | > | >>> | >>
> | > > | > | >>> | >> I have an email copy of #34 but do not have access to the
> | > PoC files. So without the cooperation of the reporter (Zhao Liang, Huawei
> | > Weiran Labs) my ability to research will be limited.
> | > > | > | >>> | >
> | > > | > | >>> | > That's really strange, do you have the mail address of
> | > Zhao, could you ask him what happened?
> | > > | > | >>> |
> | > > | > | >>> | His address may be leon.zha...@gmail.com <mailto:
> | > leon.zha...@gmail.com> - I’ll try it. His GitHub profile is now a 404.
> | > > | > | >>> |
> | > > | > | >>> | >
> | > > | > | >>> | > MITRE doesn't archive security content per se, they only
> | > deal with the organisation and assignment
> | > > | > | >>> | > of numbers. The Internet Archive's Wayback machine also
> | > hasn't archived the Github pages.
> | > > | > | >>> | >
> | > > | > | >>> | > Cheers,
> | > > | > | >>> | >        Moritz
> | > > | > | >>> |
> | > > | > | >>> |
> | > > | > | >>> | Here are the Google caches of #34 and #35:
> | > > | > | >>> |
> | > > | > | >>> |
> | > 
> https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari
> | > <
> | > 
> https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari
> | > >
> | > > | > | >>> |
> | > > | > | >>> |
> | > 
> https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari
> | > <
> | > 
> https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari
> | > >
> | > > | > | >>> |
> | > > | > | >>> | The PoC links are dead.
> | > > | > | >>> |
> | > > | > | >>> | Looking at the backtraces and the commit fixing #36 and #37 
> (
> | > 
> https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e
> | > <
> | > 
> https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e>)
> | > it is my belief that issues #34 and #35 are NOT fixed.
> | > > | > | >>> |
> | > > | > | >>> | I’ll look into them soon.
> | > > | > | >>>
> | > > | > | >>> You're awesome!  Much appreciated.
> | > > | > | >>>
> | > > | > | >>> Moritz: Do you expect the CVE to puliverize too, or will it
> | > remain active and
> | > > | > | >>> open, but "simply" without any hard (public) evidence backing
> | > it?
> | > > | > | >>
> | > > | > | >> No, they stick around, it sometimes happens that references
> | > vanish, e.g. then hosting sites
> | > > | > | >> go down (think of berlios or similar)
> | > > | > | >>
> | > > | > | >> Cheers,
> | > > | > | >>        Moritz
> | > > | > | >
> | > > | > |
> | > > | >
> | > > | > --
> | > > | > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
> | > >
> | > > --
> | > > http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
> | >
> 
> -- 
> http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Reply via email to