Incorporate upstream changes to libxls to address security vulnerabilities #441
Comments
|
CVE-2017-12110: libxls xls_appendSST Code Execution Vulnerability CVE-2017-2896: libxls xls_mergedCells Code Execution Vulnerability CVE-2017-2897: libxls read_MSAT Code Execution Vulnerability CVE-2017-12111: libxls xls_addCell Formula Code Execution Vulnerability CVE-2017-2919: libxls xls_getfcell Code Execution Vulnerability |
|
I incorporated all of these these in this commit again Debian's readxl 1.0.0. Let me know if you want them as a diff, or file set, or ... There may be a delta against what you have here if you too departed already from 1.0.0. |
|
The PR #442 is in a functional state now but still need to clear NOTEs. |
|
Nice. It may still need some fine-tuning. Using my Debian-patched side of the code (which also consists of taking the patches by Evan) R> library(readxl)
R> read_excel("mtcars.xls")
# A tibble: 6 x 10
mpg cyl disp hp drat wt qsec vs am gear
<dbl> <dbl> <dbl> <dbl> <dbl> <dbl> <dbl> <dbl> <dbl> <dbl>
1 21.0 6. 160. 110. 3.90 2.62 16.5 0. 1. 4.
2 21.0 6. 160. 110. 3.90 2.88 17.0 0. 1. 4.
3 22.8 4. 108. 93. 3.85 2.32 18.6 1. 1. 4.
4 21.4 6. 258. 110. 3.08 3.22 19.4 1. 0. 3.
5 18.7 8. 360. 175. 3.15 3.44 17.0 0. 0. 3.
6 18.1 6. 225. 105. 2.76 3.46 20.2 1. 0. 3.
R> read_excel("dates-1900.xls")
Error in read_fun(path = path, sheet = sheet, limits = limits, shim = shim, :
Failed to open dates-1900.xls
R> read_excel("dates-1904.xls")
Error in read_fun(path = path, sheet = sheet, limits = limits, shim = shim, :
Failed to open dates-1904.xls
R> Or do you have that squatted away thanks to the other changes in the repo? |
|
Hmmm. I don't see this problem locally when I'm at HEAD of #442. I can read those files fine. They are also used in the tests, so they are being successfully read on Travis and AppVeyor. devtools::load_all(".")
#> Loading readxl
read_excel("tests/testthat/sheets/dates-1900.xls", col_names = paste0("X", 1:5))
#> # A tibble: 1 x 5
#> X1 X2 X3
#> <dttm> <dttm> <dttm>
#> 1 2000-01-01 00:00:00 2000-01-01 00:00:00 2000-01-01 00:00:00
#> # ... with 2 more variables: X4 <dttm>, X5 <dttm>
read_excel("tests/testthat/sheets/dates-1904.xls", col_names = paste0("X", 1:5))
#> # A tibble: 1 x 5
#> X1 X2 X3
#> <dttm> <dttm> <dttm>
#> 1 2000-01-01 00:00:00 2000-01-01 00:00:00 2000-01-01 00:00:00
#> # ... with 2 more variables: X4 <dttm>, X5 <dttm>Created on 2018-04-13 by the reprex package (v0.2.0). |
|
Good to know. I made changes to the vanilla readxl 1.0.0 release. So call this a vote in favour of getting a new version out onto CRAN :) |
|
When do you plan to submit the updated version to CRAN? |
|
I'm planning to submit early this week. Am currently pondering if there's any other low-hanging fruit to knock off quickly and also need to run revdepchecks. |
|
@eddelbuettel The new readxl -- v1.1.0 -- is on CRAN now. |
|
@jennybc Thanks Jenny! |
|
Splendid. In Debian too now too. |
Step 1: determine if said upstream changes actually exist and, if so, where:
libxls/libxls#1
This was already on the radar, but not yet in a form that gives me a clear path forward:
#409
#358 (comment)
The text was updated successfully, but these errors were encountered: