subject:"Bug#895564\: CVE\-2017\-2896 CVE\-2017\-2897 CVE\-2017\-2919"

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-13 Thread Dirk Eddelbuettel


On 13 April 2018 at 15:33, Moritz Muehlenhoff wrote:
| On Fri, Apr 13, 2018 at 08:29:31AM -0500, Dirk Eddelbuettel wrote:
| > 
| > Ok, I got something. Do you want me to put it on my webserver here for you 
to
| > fetch and inspect (or I could even email a tarball) or should I upload?
| 
| Please send a debdiff to t...@security.debian.org

Done!

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-13 Thread Moritz Muehlenhoff

On Fri, Apr 13, 2018 at 08:29:31AM -0500, Dirk Eddelbuettel wrote:
> 
> Ok, I got something. Do you want me to put it on my webserver here for you to
> fetch and inspect (or I could even email a tarball) or should I upload?

Please send a debdiff to t...@security.debian.org

Cheers,
Moritz

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-13 Thread Dirk Eddelbuettel


Ok, I got something. Do you want me to put it on my webserver here for you to
fetch and inspect (or I could even email a tarball) or should I upload?

Format: 1.8
Date: Fri, 13 Apr 2018 08:18:46 -0500
Source: r-cran-readxl
Binary: r-cran-readxl
Architecture: source amd64
Version: 0.1.1-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Dirk Eddelbuettel 
Changed-By: Dirk Eddelbuettel 
Description:
 r-cran-readxl - GNU R package to read Excel files
Closes: 895564
Changes:
 r-cran-readxl (0.1.1-1+deb9u1) stretch-security; urgency=high
 .
   * src/endian.c: Updated from libxls upstream (Closes: #895564)
   * src/libxls/endian.h: Idem
   * src/libxls/ole.h: Idem
   * src/libxls/xls.h: Idem
   * src/libxls/xlsstruct.h: Idem
   * src/libxls/xlstool.h: Idem
   * src/libxls/xlstypes.h: Idem
   * src/ole.c: Idem
   * src/xls.c: Idem
   * src/xlstool.c: Idem
 .
   * This addresses
CVE-2017-2896
 CVE-2017-2897
 CVE-2017-2919
 CVE-2017-12111
 CVE-2017-12110
 with corresponding upstream patches.
Checksums-Sha1:
 7b2ce0a1224ac351ee74ee4e3b11b322a3dee2f8 902 r-cran-readxl_0.1.1-1+deb9u1.dsc
 d7714ce4fce42ec753e751e3966c652990795d32 323034 r-cran-readxl_0.1.1.orig.tar.gz
 79c290dfcdcaf87216109f244fc89489c18dffd2 21868 
r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz
 a384c8b7f37ea1d7a6f45ec84e7f6954fdcf8935 1086354 
r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb
 1a2350f2e291e3b01bb3c93e80c191c394bd1642 8261 
r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo
 5bc8fe4282efc4c5a8b3bf75f887e6727931a227 197664 
r-cran-readxl_0.1.1-1+deb9u1_amd64.deb
Checksums-Sha256:
 7b028e62cd6816f05c56706aa6506967501d5a19664b051ca9e7319791bf9cde 902 
r-cran-readxl_0.1.1-1+deb9u1.dsc
 39d3da470137581a385c3130468d5e0ee5b5be9e46b6d3e93e4209dac3edf57a 323034 
r-cran-readxl_0.1.1.orig.tar.gz
 55e0ea1d4a40e9ef31bb90d0695fa48715d3ad109b077b53cc7069078537fd96 21868 
r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz
 529f19b41378156ca79dfd86cc52b5e12af2916f534bb4a8d7edf8bacfe808d0 1086354 
r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb
 fea96b548846e900e467ff4f24b52bbb3f496b2d830fb5f8229b8662b34b007e 8261 
r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo
 dee521999cc22f272bee5c75f34065746829ead4ff151467df3cbc99ae889044 197664 
r-cran-readxl_0.1.1-1+deb9u1_amd64.deb
Files:
 e91dfc78b8d9bf518b6e8681691d312b 902 gnu-r optional 
r-cran-readxl_0.1.1-1+deb9u1.dsc
 565fd569d520e62ecd174aa4d3e43ce3 323034 gnu-r optional 
r-cran-readxl_0.1.1.orig.tar.gz
 3cbdab6a1a41ff4ff7aef5c5be293cf5 21868 gnu-r optional 
r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz
 aaf73941887e511c3418b66468050045 1086354 debug extra 
r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb
 544cddafcf278c9c67a791f538f39f7f 8261 gnu-r optional 
r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo
 80d5b7e4271642ae3e2ac83658e297c6 197664 gnu-r optional 
r-cran-readxl_0.1.1-1+deb9u1_amd64.deb


Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-13 Thread Moritz Muehlenhoff

On Fri, Apr 13, 2018 at 08:03:31AM -0500, Dirk Eddelbuettel wrote:
> 
> On 13 April 2018 at 14:43, Moritz Muehlenhoff wrote:
> | On Fri, Apr 13, 2018 at 07:38:51AM -0500, Dirk Eddelbuettel wrote:
> | > 
> | > On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote:
> | > | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
> | > | > 
> | > | > Further update. I took some files from the new (in-progress, 
> unfinished it
> | > | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, 
> and got
> | > | > some advice from the libxls maintainer.
> | > | > 
> | > | > He also put new issue tickets up, one per CVE:
> | > | > https://github.com/evanmiller/libxls/issues
> | > | > 
> | > | > And that builds.  It does not pass all unit tests (R / CRAN packages 
> tend to
> | > | > have lots of those) but 'almost': 4 fail, 348 pass.
> | > | > 
> | > | > We could release this, methinks.  What is your recommendation (and it 
> has
> | > | > been years since I last had to do a security release so help is as 
> always
> | > | > appreciated).
> | > | 
> | > | Do all of these patches/vulnerabilities apply to the version in stable?
> | > 
> | > I took a first look. It might just be doable.
> | > 
> | > | Then I'd say let's fix this via security.debian.org, see
> | > | 
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
> | > | for some references.
> | > 
> | > Where would I get chroot for stable?
> | 
> | There's multiple options, but e.g. with pbuilder you can simply create one 
> using:
> | 
> | sudo pbuilder create --distribution stretch 
> 
> Yes, sure, I just read the link you pointed to as implying there were
> ready-made-ones just an ssh away as we do (did?) for the porter machines.

Ah, ok. That doesn't exist, no.

Cheers,
Moritz

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-13 Thread Dirk Eddelbuettel


On 13 April 2018 at 14:43, Moritz Muehlenhoff wrote:
| On Fri, Apr 13, 2018 at 07:38:51AM -0500, Dirk Eddelbuettel wrote:
| > 
| > On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote:
| > | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
| > | > 
| > | > Further update. I took some files from the new (in-progress, unfinished 
it
| > | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and 
got
| > | > some advice from the libxls maintainer.
| > | > 
| > | > He also put new issue tickets up, one per CVE:
| > | > https://github.com/evanmiller/libxls/issues
| > | > 
| > | > And that builds.  It does not pass all unit tests (R / CRAN packages 
tend to
| > | > have lots of those) but 'almost': 4 fail, 348 pass.
| > | > 
| > | > We could release this, methinks.  What is your recommendation (and it 
has
| > | > been years since I last had to do a security release so help is as 
always
| > | > appreciated).
| > | 
| > | Do all of these patches/vulnerabilities apply to the version in stable?
| > 
| > I took a first look. It might just be doable.
| > 
| > | Then I'd say let's fix this via security.debian.org, see
| > | 
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
| > | for some references.
| > 
| > Where would I get chroot for stable?
| 
| There's multiple options, but e.g. with pbuilder you can simply create one 
using:
| 
| sudo pbuilder create --distribution stretch 

Yes, sure, I just read the link you pointed to as implying there were
ready-made-ones just an ssh away as we do (did?) for the porter machines.

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-13 Thread Moritz Muehlenhoff

On Fri, Apr 13, 2018 at 07:38:51AM -0500, Dirk Eddelbuettel wrote:
> 
> On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote:
> | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
> | > 
> | > Further update. I took some files from the new (in-progress, unfinished it
> | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and 
> got
> | > some advice from the libxls maintainer.
> | > 
> | > He also put new issue tickets up, one per CVE:
> | > https://github.com/evanmiller/libxls/issues
> | > 
> | > And that builds.  It does not pass all unit tests (R / CRAN packages tend 
> to
> | > have lots of those) but 'almost': 4 fail, 348 pass.
> | > 
> | > We could release this, methinks.  What is your recommendation (and it has
> | > been years since I last had to do a security release so help is as always
> | > appreciated).
> | 
> | Do all of these patches/vulnerabilities apply to the version in stable?
> 
> I took a first look. It might just be doable.
> 
> | Then I'd say let's fix this via security.debian.org, see
> | 
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
> | for some references.
> 
> Where would I get chroot for stable?

There's multiple options, but e.g. with pbuilder you can simply create one 
using:

sudo pbuilder create --distribution stretch 

Cheers,
Moritz

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-13 Thread Dirk Eddelbuettel


On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote:
| On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
| > 
| > Further update. I took some files from the new (in-progress, unfinished it
| > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got
| > some advice from the libxls maintainer.
| > 
| > He also put new issue tickets up, one per CVE:
| > https://github.com/evanmiller/libxls/issues
| > 
| > And that builds.  It does not pass all unit tests (R / CRAN packages tend to
| > have lots of those) but 'almost': 4 fail, 348 pass.
| > 
| > We could release this, methinks.  What is your recommendation (and it has
| > been years since I last had to do a security release so help is as always
| > appreciated).
| 
| Do all of these patches/vulnerabilities apply to the version in stable?

I took a first look. It might just be doable.

| Then I'd say let's fix this via security.debian.org, see
| 
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
| for some references.

Where would I get chroot for stable?

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-13 Thread Moritz Mühlenhoff

On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
> 
> Further update. I took some files from the new (in-progress, unfinished it
> seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got
> some advice from the libxls maintainer.
> 
> He also put new issue tickets up, one per CVE:
> https://github.com/evanmiller/libxls/issues
> 
> And that builds.  It does not pass all unit tests (R / CRAN packages tend to
> have lots of those) but 'almost': 4 fail, 348 pass.
> 
> We could release this, methinks.  What is your recommendation (and it has
> been years since I last had to do a security release so help is as always
> appreciated).

Do all of these patches/vulnerabilities apply to the version in stable?
Then I'd say let's fix this via security.debian.org, see
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
for some references.

Cheers,
Moritz

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-12 Thread Dirk Eddelbuettel


Further update. I took some files from the new (in-progress, unfinished it
seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got
some advice from the libxls maintainer.

He also put new issue tickets up, one per CVE:
https://github.com/evanmiller/libxls/issues

And that builds.  It does not pass all unit tests (R / CRAN packages tend to
have lots of those) but 'almost': 4 fail, 348 pass.

We could release this, methinks.  What is your recommendation (and it has
been years since I last had to do a security release so help is as always
appreciated).

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-12 Thread Dirk Eddelbuettel


I am in contact with upstream for readxl; upstream for readxl is trying to
get hold off a new (tentative) upstream for libxls.  I will follow-up here as
I learn more.

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-12 Thread Dirk Eddelbuettel


On 12 April 2018 at 20:42, Moritz Muehlenhoff wrote:
| Package: r-cran-readxl
| Severity: grave
| Tags: security
| 
| r-cran-readxl bundles libxls which is affected by a number of security 
vulnerabilities:
| 
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403

Dang. It looks like readxl upstream (https://github.com/tidyverse/readxl) may
not even be aware.

Is there are newer libxls you are aware of?  I don't see anything at the
sourceforge site either :-/

Dirk


-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-12 Thread Moritz Muehlenhoff

retitle 895564 CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12111 
CVE-2017-12110
thanks

On Thu, Apr 12, 2018 at 08:42:20PM +0200, Moritz Muehlenhoff wrote:
> Package: r-cran-readxl
> Severity: grave
> Tags: security
> 
> r-cran-readxl bundles libxls which is affected by a number of security 
> vulnerabilities:
> 
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403

Also:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0462
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0463
 
Cheers,
Moritz

Processed: Re: Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-12 Thread Debian Bug Tracking System

Processing commands for cont...@bugs.debian.org:

> retitle 895564 CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12111 
> CVE-2017-12110
Bug #895564 [r-cran-readxl] CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
Changed Bug title to 'CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12111 
CVE-2017-12110' from 'CVE-2017-2896 CVE-2017-2897 CVE-2017-2919'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
895564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895564
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

2018-04-12 Thread Moritz Muehlenhoff

Package: r-cran-readxl
Severity: grave
Tags: security

r-cran-readxl bundles libxls which is affected by a number of security 
vulnerabilities:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403

Cheers,
Moritz

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Processed: Re: Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919

14 matches

Site Navigation

Mail list logo

Footer information