Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multible unaddressed libxls vulnerabilities #739

Open
michaelquinn32 opened this issue Nov 27, 2023 · 6 comments
Open

Multible unaddressed libxls vulnerabilities #739

michaelquinn32 opened this issue Nov 27, 2023 · 6 comments

Comments

@michaelquinn32
Copy link

Hi team!

Sorry to bother, but I wanted to reraise a few unaddressed libxls vulnerabilities with you.

FWIW, this is triggering internal security alerts for us. We will need to address them eventually. I think our route forward is to drop support for xls files.

Is there anything that can be done on your end?

Thanks!

@jennybc
Copy link
Member

jennybc commented Nov 27, 2023

Is there anything that can be done on your end?

Unfortunately, no. I am not in a position to tackle these vulnerabilities myself.

I have, at times, vendored a dev version of libxls, in order to get some security fixes into readxl ASAP. But they need to be in libxls itself, obviously, for that to work.

@michaelquinn32
Copy link
Author

Totally understand. I'm basically in the same boat, as we don't really have anyone who can take on fixing these issues right now.

If we can't get movement on this, the next step will be something like removing libxls and support for xls files. It's unfortunate, but at least it's a way to stop the security alerts.

@jennybc
Copy link
Member

jennybc commented Nov 27, 2023

Have you tried reaching out to the libxls developer? No idea if this is a possibility, but maybe an offer to sponsor a targeted piece of work would be productive? It's not like removing xls support is a simple flick of a switch ....

@jennybc
Copy link
Member

jennybc commented Feb 5, 2024

Thanks to @gaborcsardi, a patch has been made to libxls (libxls/libxls#129), so I will work on getting those changes into a readxl release in the near future.

@jhjourdan
Copy link

Any news on this ?

@jennybc
Copy link
Member

jennybc commented Jan 15, 2025

No @jhjourdan. If/once the vendored libxls updates here, I'll close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants