Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
On 13 April 2018 at 15:33, Moritz Muehlenhoff wrote: | On Fri, Apr 13, 2018 at 08:29:31AM -0500, Dirk Eddelbuettel wrote: | > | > Ok, I got something. Do you want me to put it on my webserver here for you to | > fetch and inspect (or I could even email a tarball) or should I upload? | | Please send a debdiff to t...@security.debian.org Done! Dirk -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
On Fri, Apr 13, 2018 at 08:29:31AM -0500, Dirk Eddelbuettel wrote: > > Ok, I got something. Do you want me to put it on my webserver here for you to > fetch and inspect (or I could even email a tarball) or should I upload? Please send a debdiff to t...@security.debian.org Cheers, Moritz
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
Ok, I got something. Do you want me to put it on my webserver here for you to fetch and inspect (or I could even email a tarball) or should I upload? Format: 1.8 Date: Fri, 13 Apr 2018 08:18:46 -0500 Source: r-cran-readxl Binary: r-cran-readxl Architecture: source amd64 Version: 0.1.1-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Dirk Eddelbuettel Changed-By: Dirk Eddelbuettel Description: r-cran-readxl - GNU R package to read Excel files Closes: 895564 Changes: r-cran-readxl (0.1.1-1+deb9u1) stretch-security; urgency=high . * src/endian.c: Updated from libxls upstream (Closes: #895564) * src/libxls/endian.h: Idem * src/libxls/ole.h: Idem * src/libxls/xls.h: Idem * src/libxls/xlsstruct.h: Idem * src/libxls/xlstool.h: Idem * src/libxls/xlstypes.h: Idem * src/ole.c: Idem * src/xls.c: Idem * src/xlstool.c: Idem . * This addresses CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12111 CVE-2017-12110 with corresponding upstream patches. Checksums-Sha1: 7b2ce0a1224ac351ee74ee4e3b11b322a3dee2f8 902 r-cran-readxl_0.1.1-1+deb9u1.dsc d7714ce4fce42ec753e751e3966c652990795d32 323034 r-cran-readxl_0.1.1.orig.tar.gz 79c290dfcdcaf87216109f244fc89489c18dffd2 21868 r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz a384c8b7f37ea1d7a6f45ec84e7f6954fdcf8935 1086354 r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb 1a2350f2e291e3b01bb3c93e80c191c394bd1642 8261 r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo 5bc8fe4282efc4c5a8b3bf75f887e6727931a227 197664 r-cran-readxl_0.1.1-1+deb9u1_amd64.deb Checksums-Sha256: 7b028e62cd6816f05c56706aa6506967501d5a19664b051ca9e7319791bf9cde 902 r-cran-readxl_0.1.1-1+deb9u1.dsc 39d3da470137581a385c3130468d5e0ee5b5be9e46b6d3e93e4209dac3edf57a 323034 r-cran-readxl_0.1.1.orig.tar.gz 55e0ea1d4a40e9ef31bb90d0695fa48715d3ad109b077b53cc7069078537fd96 21868 r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz 529f19b41378156ca79dfd86cc52b5e12af2916f534bb4a8d7edf8bacfe808d0 1086354 r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb fea96b548846e900e467ff4f24b52bbb3f496b2d830fb5f8229b8662b34b007e 8261 r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo dee521999cc22f272bee5c75f34065746829ead4ff151467df3cbc99ae889044 197664 r-cran-readxl_0.1.1-1+deb9u1_amd64.deb Files: e91dfc78b8d9bf518b6e8681691d312b 902 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1.dsc 565fd569d520e62ecd174aa4d3e43ce3 323034 gnu-r optional r-cran-readxl_0.1.1.orig.tar.gz 3cbdab6a1a41ff4ff7aef5c5be293cf5 21868 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz aaf73941887e511c3418b66468050045 1086354 debug extra r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb 544cddafcf278c9c67a791f538f39f7f 8261 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo 80d5b7e4271642ae3e2ac83658e297c6 197664 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1_amd64.deb Dirk -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
On Fri, Apr 13, 2018 at 08:03:31AM -0500, Dirk Eddelbuettel wrote: > > On 13 April 2018 at 14:43, Moritz Muehlenhoff wrote: > | On Fri, Apr 13, 2018 at 07:38:51AM -0500, Dirk Eddelbuettel wrote: > | > > | > On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote: > | > | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote: > | > | > > | > | > Further update. I took some files from the new (in-progress, > unfinished it > | > | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, > and got > | > | > some advice from the libxls maintainer. > | > | > > | > | > He also put new issue tickets up, one per CVE: > | > | > https://github.com/evanmiller/libxls/issues > | > | > > | > | > And that builds. It does not pass all unit tests (R / CRAN packages > tend to > | > | > have lots of those) but 'almost': 4 fail, 348 pass. > | > | > > | > | > We could release this, methinks. What is your recommendation (and it > has > | > | > been years since I last had to do a security release so help is as > always > | > | > appreciated). > | > | > | > | Do all of these patches/vulnerabilities apply to the version in stable? > | > > | > I took a first look. It might just be doable. > | > > | > | Then I'd say let's fix this via security.debian.org, see > | > | > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building > | > | for some references. > | > > | > Where would I get chroot for stable? > | > | There's multiple options, but e.g. with pbuilder you can simply create one > using: > | > | sudo pbuilder create --distribution stretch > > Yes, sure, I just read the link you pointed to as implying there were > ready-made-ones just an ssh away as we do (did?) for the porter machines. Ah, ok. That doesn't exist, no. Cheers, Moritz
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
On 13 April 2018 at 14:43, Moritz Muehlenhoff wrote: | On Fri, Apr 13, 2018 at 07:38:51AM -0500, Dirk Eddelbuettel wrote: | > | > On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote: | > | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote: | > | > | > | > Further update. I took some files from the new (in-progress, unfinished it | > | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got | > | > some advice from the libxls maintainer. | > | > | > | > He also put new issue tickets up, one per CVE: | > | > https://github.com/evanmiller/libxls/issues | > | > | > | > And that builds. It does not pass all unit tests (R / CRAN packages tend to | > | > have lots of those) but 'almost': 4 fail, 348 pass. | > | > | > | > We could release this, methinks. What is your recommendation (and it has | > | > been years since I last had to do a security release so help is as always | > | > appreciated). | > | | > | Do all of these patches/vulnerabilities apply to the version in stable? | > | > I took a first look. It might just be doable. | > | > | Then I'd say let's fix this via security.debian.org, see | > | https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building | > | for some references. | > | > Where would I get chroot for stable? | | There's multiple options, but e.g. with pbuilder you can simply create one using: | | sudo pbuilder create --distribution stretch Yes, sure, I just read the link you pointed to as implying there were ready-made-ones just an ssh away as we do (did?) for the porter machines. Dirk -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
On Fri, Apr 13, 2018 at 07:38:51AM -0500, Dirk Eddelbuettel wrote: > > On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote: > | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote: > | > > | > Further update. I took some files from the new (in-progress, unfinished it > | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and > got > | > some advice from the libxls maintainer. > | > > | > He also put new issue tickets up, one per CVE: > | > https://github.com/evanmiller/libxls/issues > | > > | > And that builds. It does not pass all unit tests (R / CRAN packages tend > to > | > have lots of those) but 'almost': 4 fail, 348 pass. > | > > | > We could release this, methinks. What is your recommendation (and it has > | > been years since I last had to do a security release so help is as always > | > appreciated). > | > | Do all of these patches/vulnerabilities apply to the version in stable? > > I took a first look. It might just be doable. > > | Then I'd say let's fix this via security.debian.org, see > | > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building > | for some references. > > Where would I get chroot for stable? There's multiple options, but e.g. with pbuilder you can simply create one using: sudo pbuilder create --distribution stretch Cheers, Moritz
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote: | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote: | > | > Further update. I took some files from the new (in-progress, unfinished it | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got | > some advice from the libxls maintainer. | > | > He also put new issue tickets up, one per CVE: | > https://github.com/evanmiller/libxls/issues | > | > And that builds. It does not pass all unit tests (R / CRAN packages tend to | > have lots of those) but 'almost': 4 fail, 348 pass. | > | > We could release this, methinks. What is your recommendation (and it has | > been years since I last had to do a security release so help is as always | > appreciated). | | Do all of these patches/vulnerabilities apply to the version in stable? I took a first look. It might just be doable. | Then I'd say let's fix this via security.debian.org, see | https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building | for some references. Where would I get chroot for stable? Dirk -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote: > > Further update. I took some files from the new (in-progress, unfinished it > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got > some advice from the libxls maintainer. > > He also put new issue tickets up, one per CVE: > https://github.com/evanmiller/libxls/issues > > And that builds. It does not pass all unit tests (R / CRAN packages tend to > have lots of those) but 'almost': 4 fail, 348 pass. > > We could release this, methinks. What is your recommendation (and it has > been years since I last had to do a security release so help is as always > appreciated). Do all of these patches/vulnerabilities apply to the version in stable? Then I'd say let's fix this via security.debian.org, see https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building for some references. Cheers, Moritz
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
Further update. I took some files from the new (in-progress, unfinished it seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got some advice from the libxls maintainer. He also put new issue tickets up, one per CVE: https://github.com/evanmiller/libxls/issues And that builds. It does not pass all unit tests (R / CRAN packages tend to have lots of those) but 'almost': 4 fail, 348 pass. We could release this, methinks. What is your recommendation (and it has been years since I last had to do a security release so help is as always appreciated). Dirk -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
I am in contact with upstream for readxl; upstream for readxl is trying to get hold off a new (tentative) upstream for libxls. I will follow-up here as I learn more. Dirk -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
On 12 April 2018 at 20:42, Moritz Muehlenhoff wrote: | Package: r-cran-readxl | Severity: grave | Tags: security | | r-cran-readxl bundles libxls which is affected by a number of security vulnerabilities: | | https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426 | https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404 | https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403 Dang. It looks like readxl upstream (https://github.com/tidyverse/readxl) may not even be aware. Is there are newer libxls you are aware of? I don't see anything at the sourceforge site either :-/ Dirk -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
retitle 895564 CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12111 CVE-2017-12110 thanks On Thu, Apr 12, 2018 at 08:42:20PM +0200, Moritz Muehlenhoff wrote: > Package: r-cran-readxl > Severity: grave > Tags: security > > r-cran-readxl bundles libxls which is affected by a number of security > vulnerabilities: > > https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426 > https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404 > https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403 Also: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0462 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0463 Cheers, Moritz
Bug#895564: CVE-2017-2896 CVE-2017-2897 CVE-2017-2919
Package: r-cran-readxl Severity: grave Tags: security r-cran-readxl bundles libxls which is affected by a number of security vulnerabilities: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403 Cheers, Moritz