> On Jan 24, 2019, at 17:01, Jennifer Bryan <[email protected]> wrote: > > Thanks for the update and fixes, Evan! > > What sort of timeframe do you have in mind re: your official release? > > That affects how I think about timing a readxl release. I don't do them > lightly but also want to get the fixes that address the CVEs into readxl > sooner rather than later.
I’m aiming to have a release in the next two weeks. Down to the last 4-5 issues unearthed by OSS-Fuzz but I will have limited computer access next week. Evan > > -- Jenny > >> On Thu, Jan 24, 2019 at 1:36 PM Evan Miller <[email protected]> wrote: >> >>> On Jan 23, 2019, at 01:16, Evan Miller <[email protected]> wrote: >>> >>> #34 and #35 have returned from the dead on GitHub. I’ll take a closer look >>> later this week. >>> >>> Evan >> >> >> OK — I can confirm that all of the reported libxls bugs are fixed. I have >> successfully integrated libxls into OSS-Fuzz, and have added the >> researcher’s test files to the fuzzing corpus, so that this and related >> issues should be caught by the address sanitizer in the future. >> >> OSS-Fuzz has turned up a number of other issues. I will plan to do a release >> when they are all addressed. >> >> Evan >> >>> >>>> On Jan 15, 2019, at 14:12, Moritz Muehlenhoff <[email protected]> wrote: >>>> >>>>> On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel wrote: >>>>> >>>>> Hi Evan, >>>>> >>>>> On 15 January 2019 at 11:18, Evan Miller wrote: >>>>> | >>>>> | > On Jan 15, 2019, at 03:06, Moritz Muehlenhoff <[email protected]> wrote: >>>>> | > >>>>> | > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller wrote: >>>>> | >> Oddly, all four issues (#34, #35, #36, #37) seem to have disappeared >>>>> from GitHub. I don’t know if the original reporter intended to close >>>>> them, or what. >>>>> | >> >>>>> | >> I have an email copy of #34 but do not have access to the PoC files. >>>>> So without the cooperation of the reporter (Zhao Liang, Huawei Weiran >>>>> Labs) my ability to research will be limited. >>>>> | > >>>>> | > That's really strange, do you have the mail address of Zhao, could >>>>> you ask him what happened? >>>>> | >>>>> | His address may be [email protected] - I’ll try it. His GitHub >>>>> profile is now a 404. >>>>> | >>>>> | > >>>>> | > MITRE doesn't archive security content per se, they only deal with >>>>> the organisation and assignment >>>>> | > of numbers. The Internet Archive's Wayback machine also hasn't >>>>> archived the Github pages. >>>>> | > >>>>> | > Cheers, >>>>> | > Moritz >>>>> | >>>>> | >>>>> | Here are the Google caches of #34 and #35: >>>>> | >>>>> | >>>>> https://webcache.googleusercontent.com/search?q=cache:pgRHJwznP7wJ:https://github.com/evanmiller/libxls/issues/34+&cd=1&hl=en&ct=clnk&gl=us&client=safari >>>>> | >>>>> | >>>>> https://webcache.googleusercontent.com/search?q=cache:5GNSeHQTzEsJ:https://github.com/evanmiller/libxls/issues/35+&cd=1&hl=en&ct=clnk&gl=us&client=safari >>>>> | >>>>> | The PoC links are dead. >>>>> | >>>>> | Looking at the backtraces and the commit fixing #36 and #37 >>>>> (https://github.com/evanmiller/libxls/commit/24044ad7d7cec8a6a1c2370caad27890121a776e) >>>>> it is my belief that issues #34 and #35 are NOT fixed. >>>>> | >>>>> | I’ll look into them soon. >>>>> >>>>> You're awesome! Much appreciated. >>>>> >>>>> Moritz: Do you expect the CVE to puliverize too, or will it remain active >>>>> and >>>>> open, but "simply" without any hard (public) evidence backing it? >>>> >>>> No, they stick around, it sometimes happens that references vanish, e.g. >>>> then hosting sites >>>> go down (think of berlios or similar) >>>> >>>> Cheers, >>>> Moritz >>> >>
