Bug#919324: CVE-2018-20450 CVE-2018-20452

An official release of libxls 1.5.0 is here: https://github.com/libxls/libxls/releases/tag/v1.5.0 It fixes all known vulnerabilities. Thanks for your patience everyone. Evan > On Feb 4, 2019, at 17:15, Dirk Eddelbuettel wrote: > > >

Bug#919324: CVE-2018-20450 CVE-2018-20452

Or am I rolling on my own schedule now, knowing that I am embedding a libxls > release in the moral sense? > > -- Jenny > >> On Tue, Jan 29, 2019 at 11:38 AM Evan Miller wrote: >> Thanks Jenny. In that case I am not planning any additional code changes, >> just

Bug#919324: CVE-2018-20450 CVE-2018-20452

our > PR and readxl still passes checks on all platforms. > > https://github.com/tidyverse/readxl/pull/543 > > -- Jenny > >> On Tue, Jan 29, 2019 at 7:31 AM Evan Miller wrote: >> All issues identified by OSS-Fuzz are now fixed in libxls master. @Jenny if >> t

Bug#919324: CVE-2018-20450 CVE-2018-20452

why the issues he filed disappeared without warning. Sent from my iPad > On Jan 27, 2019, at 10:27, Dirk Eddelbuettel wrote: > > > On 27 January 2019 at 09:25, Evan Miller wrote: > | > | > On Jan 26, 2019, at 23:09, Dirk Eddelbuettel wrote: > | > > | >

Bug#919324: CVE-2018-20450 CVE-2018-20452

last hang identified by OSS-Fuzz (I.e. potential denial of service), but the CVEs, buffer overruns, and memory leaks are all fixed in Jenny’s pull request. Evan > > Dirk > > | -- Jenny > | > | On Sat, Jan 26, 2019 at 7:23 AM Evan Miller wrote: > | >

Bug#919324: CVE-2018-20450 CVE-2018-20452

> On Jan 26, 2019, at 10:05, Dirk Eddelbuettel wrote: > > > On 24 January 2019 at 19:54, Evan Miller wrote: > | > | > On Jan 24, 2019, at 19:10, Dirk Eddelbuettel wrote: > | > > | > > | > On 24 January 2019 at 16:36, Evan Miller wrote: > | >

Bug#919324: CVE-2018-20450 CVE-2018-20452

so want to get the fixes that address the CVEs into readxl > sooner rather than later. I’m aiming to have a release in the next two weeks. Down to the last 4-5 issues unearthed by OSS-Fuzz but I will have limited computer access next week. Evan > > -- Jenny > >> On Thu,

Bug#919324: CVE-2018-20450 CVE-2018-20452

> On Jan 24, 2019, at 19:10, Dirk Eddelbuettel wrote: > > > On 24 January 2019 at 16:36, Evan Miller wrote: > | > | > On Jan 23, 2019, at 01:16, Evan Miller wrote: > | > > | > #34 and #35 have returned from the dead on GitHub. I’ll take a closer > loo

Bug#919324: CVE-2018-20450 CVE-2018-20452

> On Jan 23, 2019, at 01:16, Evan Miller wrote: > > #34 and #35 have returned from the dead on GitHub. I’ll take a closer look > later this week. > > Evan OK — I can confirm that all of the reported libxls bugs are fixed. I have successfully integrated libxls into OSS-Fu

Bug#919324: CVE-2018-20450 CVE-2018-20452

#34 and #35 have returned from the dead on GitHub. I’ll take a closer look later this week. Evan > On Jan 15, 2019, at 14:12, Moritz Muehlenhoff wrote: > > On Tue, Jan 15, 2019 at 10:43:25AM -0600, Dirk Eddelbuettel wrote: >> >> Hi Evan, >> >> On 15 January

Bug#919324: CVE-2018-20450 CVE-2018-20452

> On Jan 15, 2019, at 11:18, Evan Miller wrote: > > >> On Jan 15, 2019, at 03:06, Moritz Muehlenhoff wrote: >> >> That's really strange, do you have the mail address of Zhao, could you ask >> him what happened? > > His address may be leon.zha...@gmai

Bug#919324: CVE-2018-20450 CVE-2018-20452

> On Jan 15, 2019, at 03:06, Moritz Muehlenhoff wrote: > > On Mon, Jan 14, 2019 at 08:45:56PM -0500, Evan Miller wrote: >> Oddly, all four issues (#34, #35, #36, #37) seem to have disappeared from >> GitHub. I don’t know if the original reporter intended to close them,

Bug#919324: CVE-2018-20450 CVE-2018-20452

Labs) my ability to research will be limited. Evan > On Jan 14, 2019, at 19:22, Dirk Eddelbuettel wrote: > > > Hi Evan, > > On 14 January 2019 at 19:03, Evan Miller wrote: > | Hi Dirk, > | > | You are correct - these are issues with the underlying C library, the >