readxl
readxl copied to clipboard
tidyverse
libxls vulnerability
Hi, FYI there's a known vulnerability in libxls v1.6.2:
https://nvd.nist.gov/vuln/detail/CVE-2021-27836
It looks like this upstream PR is the most relevant to consider patching in:
https://github.com/libxls/libxls/pull/97/files
Original upstream discussion: https://github.com/libxls/libxls/issues/94
FYI: as the original PR was never accepted, I updated the changes and added a PR which has been accepted into the dev branch of libxls - https://github.com/libxls/libxls/pull/107 The changes are largely the same except for error code enumeration.
Thanks for the heads up! @jennybc would you like me to patch that into the bundled copy here?
No, I will do it. I've sort of been waiting to see if @evanmiller does an official libxls release, now that it looks like several CVE-relevant PRs have landed.
I much prefer to vendor an official release of libxls, with as few readxl-specific patches as possible.
Question for those with a particular interest in this:
If I embed the current dev version of libxls in readxl (so: not an official release), instead of the current libxls v1.6.2 (SHA 4482400), is that a noticeably better situation for you?
I plan to release readxl soon. There have been multiple, large internal changes that should not noticeably change what users see. I want to get this next version out into the world and surface any significant regressions. (The next phase of development will introduce quite a few user-significant features.)
FWIW it doesn't affect us either way. we delete the bundled libxls copy & depend directly on the (patched) source library directly.