Debian Bug report logs -
#895564
CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12111 CVE-2017-12110
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 12 Apr 2018 18:45:01 UTC
Severity: grave
Tags: security
Fixed in versions r-cran-readxl/1.0.0-2, r-cran-readxl/0.1.1-1+deb9u1
Done: Dirk Eddelbuettel <edd@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#895564; Package r-cran-readxl.
(Thu, 12 Apr 2018 18:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Dirk Eddelbuettel <edd@debian.org>.
(Thu, 12 Apr 2018 18:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: r-cran-readxl
Severity: grave
Tags: security
r-cran-readxl bundles libxls which is affected by a number of security vulnerabilities:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#895564; Package r-cran-readxl.
(Thu, 12 Apr 2018 18:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(Thu, 12 Apr 2018 18:48:07 GMT) (full text, mbox, link).
Message #10 received at 895564@bugs.debian.org (full text, mbox, reply):
retitle 895564 CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12111 CVE-2017-12110
thanks
On Thu, Apr 12, 2018 at 08:42:20PM +0200, Moritz Muehlenhoff wrote:
> Package: r-cran-readxl
> Severity: grave
> Tags: security
>
> r-cran-readxl bundles libxls which is affected by a number of security vulnerabilities:
>
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403
Also:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0462
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0463
Cheers,
Moritz
Changed Bug title to 'CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12111 CVE-2017-12110' from 'CVE-2017-2896 CVE-2017-2897 CVE-2017-2919'.
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Thu, 12 Apr 2018 18:48:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#895564; Package r-cran-readxl.
(Thu, 12 Apr 2018 19:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Thu, 12 Apr 2018 19:12:06 GMT) (full text, mbox, link).
Message #17 received at submit@bugs.debian.org (full text, mbox, reply):
On 12 April 2018 at 20:42, Moritz Muehlenhoff wrote:
| Package: r-cran-readxl
| Severity: grave
| Tags: security
|
| r-cran-readxl bundles libxls which is affected by a number of security vulnerabilities:
|
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403
Dang. It looks like readxl upstream (https://github.com/tidyverse/readxl) may
not even be aware.
Is there are newer libxls you are aware of? I don't see anything at the
sourceforge site either :-/
Dirk
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#895564; Package r-cran-readxl.
(Thu, 12 Apr 2018 19:12:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Thu, 12 Apr 2018 19:12:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#895564; Package r-cran-readxl.
(Thu, 12 Apr 2018 20:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Thu, 12 Apr 2018 20:09:03 GMT) (full text, mbox, link).
Message #27 received at 895564@bugs.debian.org (full text, mbox, reply):
I am in contact with upstream for readxl; upstream for readxl is trying to
get hold off a new (tentative) upstream for libxls. I will follow-up here as
I learn more.
Dirk
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#895564; Package r-cran-readxl.
(Thu, 12 Apr 2018 22:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Thu, 12 Apr 2018 22:18:02 GMT) (full text, mbox, link).
Message #32 received at 895564@bugs.debian.org (full text, mbox, reply):
Further update. I took some files from the new (in-progress, unfinished it
seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got
some advice from the libxls maintainer.
He also put new issue tickets up, one per CVE:
https://github.com/evanmiller/libxls/issues
And that builds. It does not pass all unit tests (R / CRAN packages tend to
have lots of those) but 'almost': 4 fail, 348 pass.
We could release this, methinks. What is your recommendation (and it has
been years since I last had to do a security release so help is as always
appreciated).
Dirk
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Reply sent
to Dirk Eddelbuettel <edd@debian.org>:
You have taken responsibility.
(Thu, 12 Apr 2018 23:57:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 12 Apr 2018 23:57:04 GMT) (full text, mbox, link).
Message #37 received at 895564-close@bugs.debian.org (full text, mbox, reply):
Source: r-cran-readxl
Source-Version: 1.0.0-2
We believe that the bug you reported is fixed in the latest version of
r-cran-readxl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 895564@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dirk Eddelbuettel <edd@debian.org> (supplier of updated r-cran-readxl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 12 Apr 2018 18:16:20 -0500
Source: r-cran-readxl
Binary: r-cran-readxl
Architecture: source amd64
Version: 1.0.0-2
Distribution: unstable
Urgency: medium
Maintainer: Dirk Eddelbuettel <edd@debian.org>
Changed-By: Dirk Eddelbuettel <edd@debian.org>
Description:
r-cran-readxl - GNU R package to read Excel files
Closes: 895564
Changes:
r-cran-readxl (1.0.0-2) unstable; urgency=medium
.
* src/endian.c: Updated from libxls upstream (Closes: #895564)
* src/libxls/endian.h: Idem
* src/libxls/ole.h: Idem
* src/libxls/xls.h: Idem
* src/libxls/xlsstruct.h: Idem
* src/libxls/xlstool.h: Idem
* src/libxls/xlstypes.h: Idem
* src/ole.c: Idem
* src/xls.c: Idem
* src/xlstool.c: Idem
.
* debian/control: Set Build-Depends: to current R version
* debian/control: Set Standards-Version: to current version
* debian/control: Add Vcs-Browser: and Vcs-Git:
* debian/compat: Increase level to 9
* debian/control: Switch from cdbs to dh-r
* debian/rules: Idem
Checksums-Sha1:
98c6f708029a56989a4f1734beb7627a5809f694 1918 r-cran-readxl_1.0.0-2.dsc
40cbd8d4d6a4148be5eb2046dddb208a39790aeb 22132 r-cran-readxl_1.0.0-2.debian.tar.xz
fe3efa98de3ed40f0bc51e06625cb09afa6d7109 1291132 r-cran-readxl-dbgsym_1.0.0-2_amd64.deb
2f854f0f1cee7c17e4fc06054057a58f40aa66c8 8505 r-cran-readxl_1.0.0-2_amd64.buildinfo
3a527b9ad41b5aa5eaf5dcba9a56d09b30cea29b 694924 r-cran-readxl_1.0.0-2_amd64.deb
Checksums-Sha256:
d93ff910e1a2232266b266601904e256c62fd4182f199ae7e0a7db2f59adbd2c 1918 r-cran-readxl_1.0.0-2.dsc
a9d09c1e429bd89468ca7276a5f5c444d5baf5d4817ce4a95559fd40d79824af 22132 r-cran-readxl_1.0.0-2.debian.tar.xz
cd083c6bb9627609c80ca0091c30832cddf68e4137cb689bfad4e1bb5ad98eb4 1291132 r-cran-readxl-dbgsym_1.0.0-2_amd64.deb
cfeedb526daebb485f3dda9c14a5874634e31b45b09c95442ed9341c2f918ca0 8505 r-cran-readxl_1.0.0-2_amd64.buildinfo
bfb2b78379effadd76b3527679210e8a2f08657928cbf69a20fa3a38e3678adb 694924 r-cran-readxl_1.0.0-2_amd64.deb
Files:
e06f88aaa6baae80268eecb72f4fb688 1918 gnu-r optional r-cran-readxl_1.0.0-2.dsc
0a9a9c5c5ba9289c9057315ab2bd0e41 22132 gnu-r optional r-cran-readxl_1.0.0-2.debian.tar.xz
f309d8debf7674367f5c191754be5e64 1291132 debug optional r-cran-readxl-dbgsym_1.0.0-2_amd64.deb
f81bbc2c954a4e7cc7d9abbd84c631ff 8505 gnu-r optional r-cran-readxl_1.0.0-2_amd64.buildinfo
7503c6f2801dfbb620e8050505bb8a06 694924 gnu-r optional r-cran-readxl_1.0.0-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBWs/rK6FIn+KrmaIaAQiqvg/8DKmEdh4SWIoOnwfIKQfa+kJ90Vuyc4Lv
DKyKi3Ww4LrIOtNZ5LOAFWnCFK/lpz3mViqmdVEjpg1a9TYN/VI8uVIq0xvRjaE8
G3cJMRsq9HLk42ZVNXO9mf9PxSnLHnju54GRCLe56N4RT897my+bv/fh++QljB24
U8XuqWazmuWpH69+xDr6WugQ2BsazYIiR3qlDId48v4ZaNyDfedgiXliTjwGzFUD
KnmPDI4f83gEcPKYSbBs1DCZLsagoJn1NxvGwo1WQfZqrxt2AB6FyiRJaGvJ8Kde
YAcned5kdVw3TluAqtKYfVCWrblGc8zjuGFlYVIMXrB0VVyT30O9woBwL7JNps7T
9q21Mi25cCb53dig1WQGNQXYjsO5JDcniBdhY6QIXlwEwKL64yAyqcKMw3SoPBt3
83RRrQlp6/bkTyhlIRn7ZpME3myEP10oedI/ikJ9lVs6hRRz/PJ0b4yDIFsY9GRh
auRPBlToBUAAmsCB5/Q96lundSekVdcYK7n6dIJ9lPMDwcBa5WM+vzKpI2JqonOc
Dj63qrHEMhcz1PRQEUYOnXUJAad4kkKcP/GrYoDT4rhBsWW7RAg0JeHsh4Y4JV4T
Xb+Ogqesq5QZVxYuYoBdgC3tpTEJjGBn70MgbpHhG+J/sX5I+ZFidv4LFVdbiesu
DHi+H/XPaNM=
=EGZ7
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#895564; Package r-cran-readxl.
(Fri, 13 Apr 2018 09:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(Fri, 13 Apr 2018 09:54:05 GMT) (full text, mbox, link).
Message #42 received at 895564@bugs.debian.org (full text, mbox, reply):
On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
>
> Further update. I took some files from the new (in-progress, unfinished it
> seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got
> some advice from the libxls maintainer.
>
> He also put new issue tickets up, one per CVE:
> https://github.com/evanmiller/libxls/issues
>
> And that builds. It does not pass all unit tests (R / CRAN packages tend to
> have lots of those) but 'almost': 4 fail, 348 pass.
>
> We could release this, methinks. What is your recommendation (and it has
> been years since I last had to do a security release so help is as always
> appreciated).
Do all of these patches/vulnerabilities apply to the version in stable?
Then I'd say let's fix this via security.debian.org, see
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
for some references.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#895564; Package r-cran-readxl.
(Fri, 13 Apr 2018 12:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Fri, 13 Apr 2018 12:42:03 GMT) (full text, mbox, link).
Message #47 received at 895564@bugs.debian.org (full text, mbox, reply):
On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote:
| On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
| >
| > Further update. I took some files from the new (in-progress, unfinished it
| > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got
| > some advice from the libxls maintainer.
| >
| > He also put new issue tickets up, one per CVE:
| > https://github.com/evanmiller/libxls/issues
| >
| > And that builds. It does not pass all unit tests (R / CRAN packages tend to
| > have lots of those) but 'almost': 4 fail, 348 pass.
| >
| > We could release this, methinks. What is your recommendation (and it has
| > been years since I last had to do a security release so help is as always
| > appreciated).
|
| Do all of these patches/vulnerabilities apply to the version in stable?
I took a first look. It might just be doable.
| Then I'd say let's fix this via security.debian.org, see
| https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
| for some references.
Where would I get chroot for stable?
Dirk
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#895564; Package r-cran-readxl.
(Fri, 13 Apr 2018 12:45:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(Fri, 13 Apr 2018 12:45:18 GMT) (full text, mbox, link).
Message #52 received at 895564@bugs.debian.org (full text, mbox, reply):
On Fri, Apr 13, 2018 at 07:38:51AM -0500, Dirk Eddelbuettel wrote:
>
> On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote:
> | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
> | >
> | > Further update. I took some files from the new (in-progress, unfinished it
> | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got
> | > some advice from the libxls maintainer.
> | >
> | > He also put new issue tickets up, one per CVE:
> | > https://github.com/evanmiller/libxls/issues
> | >
> | > And that builds. It does not pass all unit tests (R / CRAN packages tend to
> | > have lots of those) but 'almost': 4 fail, 348 pass.
> | >
> | > We could release this, methinks. What is your recommendation (and it has
> | > been years since I last had to do a security release so help is as always
> | > appreciated).
> |
> | Do all of these patches/vulnerabilities apply to the version in stable?
>
> I took a first look. It might just be doable.
>
> | Then I'd say let's fix this via security.debian.org, see
> | https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
> | for some references.
>
> Where would I get chroot for stable?
There's multiple options, but e.g. with pbuilder you can simply create one using:
sudo pbuilder create --distribution stretch
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#895564; Package r-cran-readxl.
(Fri, 13 Apr 2018 13:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Fri, 13 Apr 2018 13:06:04 GMT) (full text, mbox, link).
Message #57 received at 895564@bugs.debian.org (full text, mbox, reply):
On 13 April 2018 at 14:43, Moritz Muehlenhoff wrote:
| On Fri, Apr 13, 2018 at 07:38:51AM -0500, Dirk Eddelbuettel wrote:
| >
| > On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote:
| > | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
| > | >
| > | > Further update. I took some files from the new (in-progress, unfinished it
| > | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got
| > | > some advice from the libxls maintainer.
| > | >
| > | > He also put new issue tickets up, one per CVE:
| > | > https://github.com/evanmiller/libxls/issues
| > | >
| > | > And that builds. It does not pass all unit tests (R / CRAN packages tend to
| > | > have lots of those) but 'almost': 4 fail, 348 pass.
| > | >
| > | > We could release this, methinks. What is your recommendation (and it has
| > | > been years since I last had to do a security release so help is as always
| > | > appreciated).
| > |
| > | Do all of these patches/vulnerabilities apply to the version in stable?
| >
| > I took a first look. It might just be doable.
| >
| > | Then I'd say let's fix this via security.debian.org, see
| > | https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
| > | for some references.
| >
| > Where would I get chroot for stable?
|
| There's multiple options, but e.g. with pbuilder you can simply create one using:
|
| sudo pbuilder create --distribution stretch
Yes, sure, I just read the link you pointed to as implying there were
ready-made-ones just an ssh away as we do (did?) for the porter machines.
Dirk
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#895564; Package r-cran-readxl.
(Fri, 13 Apr 2018 13:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(Fri, 13 Apr 2018 13:09:07 GMT) (full text, mbox, link).
Message #62 received at 895564@bugs.debian.org (full text, mbox, reply):
On Fri, Apr 13, 2018 at 08:03:31AM -0500, Dirk Eddelbuettel wrote:
>
> On 13 April 2018 at 14:43, Moritz Muehlenhoff wrote:
> | On Fri, Apr 13, 2018 at 07:38:51AM -0500, Dirk Eddelbuettel wrote:
> | >
> | > On 13 April 2018 at 11:51, Moritz Mühlenhoff wrote:
> | > | On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote:
> | > | >
> | > | > Further update. I took some files from the new (in-progress, unfinished it
> | > | > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got
> | > | > some advice from the libxls maintainer.
> | > | >
> | > | > He also put new issue tickets up, one per CVE:
> | > | > https://github.com/evanmiller/libxls/issues
> | > | >
> | > | > And that builds. It does not pass all unit tests (R / CRAN packages tend to
> | > | > have lots of those) but 'almost': 4 fail, 348 pass.
> | > | >
> | > | > We could release this, methinks. What is your recommendation (and it has
> | > | > been years since I last had to do a security release so help is as always
> | > | > appreciated).
> | > |
> | > | Do all of these patches/vulnerabilities apply to the version in stable?
> | >
> | > I took a first look. It might just be doable.
> | >
> | > | Then I'd say let's fix this via security.debian.org, see
> | > | https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
> | > | for some references.
> | >
> | > Where would I get chroot for stable?
> |
> | There's multiple options, but e.g. with pbuilder you can simply create one using:
> |
> | sudo pbuilder create --distribution stretch
>
> Yes, sure, I just read the link you pointed to as implying there were
> ready-made-ones just an ssh away as we do (did?) for the porter machines.
Ah, ok. That doesn't exist, no.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#895564; Package r-cran-readxl.
(Fri, 13 Apr 2018 13:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Fri, 13 Apr 2018 13:33:05 GMT) (full text, mbox, link).
Message #67 received at 895564@bugs.debian.org (full text, mbox, reply):
Ok, I got something. Do you want me to put it on my webserver here for you to
fetch and inspect (or I could even email a tarball) or should I upload?
Format: 1.8
Date: Fri, 13 Apr 2018 08:18:46 -0500
Source: r-cran-readxl
Binary: r-cran-readxl
Architecture: source amd64
Version: 0.1.1-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Dirk Eddelbuettel <edd@debian.org>
Changed-By: Dirk Eddelbuettel <edd@debian.org>
Description:
r-cran-readxl - GNU R package to read Excel files
Closes: 895564
Changes:
r-cran-readxl (0.1.1-1+deb9u1) stretch-security; urgency=high
.
* src/endian.c: Updated from libxls upstream (Closes: #895564)
* src/libxls/endian.h: Idem
* src/libxls/ole.h: Idem
* src/libxls/xls.h: Idem
* src/libxls/xlsstruct.h: Idem
* src/libxls/xlstool.h: Idem
* src/libxls/xlstypes.h: Idem
* src/ole.c: Idem
* src/xls.c: Idem
* src/xlstool.c: Idem
.
* This addresses
CVE-2017-2896
CVE-2017-2897
CVE-2017-2919
CVE-2017-12111
CVE-2017-12110
with corresponding upstream patches.
Checksums-Sha1:
7b2ce0a1224ac351ee74ee4e3b11b322a3dee2f8 902 r-cran-readxl_0.1.1-1+deb9u1.dsc
d7714ce4fce42ec753e751e3966c652990795d32 323034 r-cran-readxl_0.1.1.orig.tar.gz
79c290dfcdcaf87216109f244fc89489c18dffd2 21868 r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz
a384c8b7f37ea1d7a6f45ec84e7f6954fdcf8935 1086354 r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb
1a2350f2e291e3b01bb3c93e80c191c394bd1642 8261 r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo
5bc8fe4282efc4c5a8b3bf75f887e6727931a227 197664 r-cran-readxl_0.1.1-1+deb9u1_amd64.deb
Checksums-Sha256:
7b028e62cd6816f05c56706aa6506967501d5a19664b051ca9e7319791bf9cde 902 r-cran-readxl_0.1.1-1+deb9u1.dsc
39d3da470137581a385c3130468d5e0ee5b5be9e46b6d3e93e4209dac3edf57a 323034 r-cran-readxl_0.1.1.orig.tar.gz
55e0ea1d4a40e9ef31bb90d0695fa48715d3ad109b077b53cc7069078537fd96 21868 r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz
529f19b41378156ca79dfd86cc52b5e12af2916f534bb4a8d7edf8bacfe808d0 1086354 r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb
fea96b548846e900e467ff4f24b52bbb3f496b2d830fb5f8229b8662b34b007e 8261 r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo
dee521999cc22f272bee5c75f34065746829ead4ff151467df3cbc99ae889044 197664 r-cran-readxl_0.1.1-1+deb9u1_amd64.deb
Files:
e91dfc78b8d9bf518b6e8681691d312b 902 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1.dsc
565fd569d520e62ecd174aa4d3e43ce3 323034 gnu-r optional r-cran-readxl_0.1.1.orig.tar.gz
3cbdab6a1a41ff4ff7aef5c5be293cf5 21868 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz
aaf73941887e511c3418b66468050045 1086354 debug extra r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb
544cddafcf278c9c67a791f538f39f7f 8261 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo
80d5b7e4271642ae3e2ac83658e297c6 197664 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1_amd64.deb
Dirk
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#895564; Package r-cran-readxl.
(Fri, 13 Apr 2018 13:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(Fri, 13 Apr 2018 13:36:03 GMT) (full text, mbox, link).
Message #72 received at 895564@bugs.debian.org (full text, mbox, reply):
On Fri, Apr 13, 2018 at 08:29:31AM -0500, Dirk Eddelbuettel wrote:
>
> Ok, I got something. Do you want me to put it on my webserver here for you to
> fetch and inspect (or I could even email a tarball) or should I upload?
Please send a debdiff to team@security.debian.org
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#895564; Package r-cran-readxl.
(Fri, 13 Apr 2018 13:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Fri, 13 Apr 2018 13:57:03 GMT) (full text, mbox, link).
Message #77 received at 895564@bugs.debian.org (full text, mbox, reply):
On 13 April 2018 at 15:33, Moritz Muehlenhoff wrote:
| On Fri, Apr 13, 2018 at 08:29:31AM -0500, Dirk Eddelbuettel wrote:
| >
| > Ok, I got something. Do you want me to put it on my webserver here for you to
| > fetch and inspect (or I could even email a tarball) or should I upload?
|
| Please send a debdiff to team@security.debian.org
Done!
Dirk
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Reply sent
to Dirk Eddelbuettel <edd@debian.org>:
You have taken responsibility.
(Mon, 16 Apr 2018 20:48:15 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Apr 2018 20:48:15 GMT) (full text, mbox, link).
Message #82 received at 895564-close@bugs.debian.org (full text, mbox, reply):
Source: r-cran-readxl
Source-Version: 0.1.1-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
r-cran-readxl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 895564@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dirk Eddelbuettel <edd@debian.org> (supplier of updated r-cran-readxl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 Apr 2018 08:18:46 -0500
Source: r-cran-readxl
Binary: r-cran-readxl
Architecture: source amd64
Version: 0.1.1-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Dirk Eddelbuettel <edd@debian.org>
Changed-By: Dirk Eddelbuettel <edd@debian.org>
Description:
r-cran-readxl - GNU R package to read Excel files
Closes: 895564
Changes:
r-cran-readxl (0.1.1-1+deb9u1) stretch-security; urgency=high
.
* src/endian.c: Updated from libxls upstream (Closes: #895564)
* src/libxls/endian.h: Idem
* src/libxls/ole.h: Idem
* src/libxls/xls.h: Idem
* src/libxls/xlsstruct.h: Idem
* src/libxls/xlstool.h: Idem
* src/libxls/xlstypes.h: Idem
* src/ole.c: Idem
* src/xls.c: Idem
* src/xlstool.c: Idem
.
* This addresses
CVE-2017-2896
CVE-2017-2897
CVE-2017-2919
CVE-2017-12111
CVE-2017-12110
with corresponding upstream patches.
Checksums-Sha1:
61360fd6a3780b9222fe5b2cac6871d8ea0edfb2 1745 r-cran-readxl_0.1.1-1+deb9u1.dsc
d7714ce4fce42ec753e751e3966c652990795d32 323034 r-cran-readxl_0.1.1.orig.tar.gz
79c290dfcdcaf87216109f244fc89489c18dffd2 21868 r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz
a384c8b7f37ea1d7a6f45ec84e7f6954fdcf8935 1086354 r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb
1a2350f2e291e3b01bb3c93e80c191c394bd1642 8261 r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo
5bc8fe4282efc4c5a8b3bf75f887e6727931a227 197664 r-cran-readxl_0.1.1-1+deb9u1_amd64.deb
Checksums-Sha256:
93716d4c85de941554097f9333cf04df58b50e21415f1bd9f0c3d7b6d0a2767e 1745 r-cran-readxl_0.1.1-1+deb9u1.dsc
39d3da470137581a385c3130468d5e0ee5b5be9e46b6d3e93e4209dac3edf57a 323034 r-cran-readxl_0.1.1.orig.tar.gz
55e0ea1d4a40e9ef31bb90d0695fa48715d3ad109b077b53cc7069078537fd96 21868 r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz
529f19b41378156ca79dfd86cc52b5e12af2916f534bb4a8d7edf8bacfe808d0 1086354 r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb
fea96b548846e900e467ff4f24b52bbb3f496b2d830fb5f8229b8662b34b007e 8261 r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo
dee521999cc22f272bee5c75f34065746829ead4ff151467df3cbc99ae889044 197664 r-cran-readxl_0.1.1-1+deb9u1_amd64.deb
Files:
cb6b740a26d405e0ad5d081451e6785b 1745 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1.dsc
565fd569d520e62ecd174aa4d3e43ce3 323034 gnu-r optional r-cran-readxl_0.1.1.orig.tar.gz
3cbdab6a1a41ff4ff7aef5c5be293cf5 21868 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1.debian.tar.xz
aaf73941887e511c3418b66468050045 1086354 debug extra r-cran-readxl-dbgsym_0.1.1-1+deb9u1_amd64.deb
544cddafcf278c9c67a791f538f39f7f 8261 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1_amd64.buildinfo
80d5b7e4271642ae3e2ac83658e297c6 197664 gnu-r optional r-cran-readxl_0.1.1-1+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBWtOgFqFIn+KrmaIaAQg9Eg//fN7rfwGdpyIJB9Q1hC4gK+6RrOCe6XxK
RDdFhZswcqlS/c/9hO5FYE9hYeNaO52pSaACY65K57pYT/Go52nsTClJ8s2FKWov
U7ogcU/AGbzVeDjOs4vZvbjyokHaXcfapJNCxpjIrje/sq/6bs0Efrp5WFDAT2x0
MRb1tqYHT2/L210EK36p0ilSLT+I17AEqjW9vvOFBRwgxjsjxdnfiDGPF6P1skx+
kEBTnt9pCGt8Nal5meIzVn0Gxr2LZ+MyCichKHeMkphY0rU1Tz+VCW4wnp+/cWX+
N3UMPEfJxHlplKE3ocFHWNsctYN7twRck9mAzxF+l0ZZAzlvLsxl6gnE7yPBPTfD
Iro9iRaxm5ccvSKauMBW4B258X3ZnkGQrwuuLQx0cVgHQydz7eh9nrXInrTP5AE4
RvfTJdwlf4zWFE5tk8XeBgqRiXyzvkkGz+y8j32N6S4VU/JhcnRllxsV3NtoCZwq
Qev32BbN6PT150s3V+CXa+ppwnlol0S+Y7eXy3hz25KP2iy7jd0f1fPMmnNF/PQR
9ssJXRWyTErNccwFYYSlKpvtTRGDbA/y2A/xSieEoAUoYNAbzDOmjZS1jbW96bIj
6vBoNc7xqVKv7StiGGZMgi1KclNsNC3odYLthq9aNR4EgsfOt21MchbMsViD8FLy
8Kv5o33oj7Y=
=RKyZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 09 Feb 2019 07:32:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:24:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon