Multible unaddressed libxls vulnerabilities #739
Comments
Unfortunately, no. I am not in a position to tackle these vulnerabilities myself. I have, at times, vendored a dev version of libxls, in order to get some security fixes into readxl ASAP. But they need to be in libxls itself, obviously, for that to work. |
|
Totally understand. I'm basically in the same boat, as we don't really have anyone who can take on fixing these issues right now. If we can't get movement on this, the next step will be something like removing libxls and support for xls files. It's unfortunate, but at least it's a way to stop the security alerts. |
|
Have you tried reaching out to the libxls developer? No idea if this is a possibility, but maybe an offer to sponsor a targeted piece of work would be productive? It's not like removing xls support is a simple flick of a switch .... |
|
Thanks to @gaborcsardi, a patch has been made to libxls (libxls/libxls#129), so I will work on getting those changes into a readxl release in the near future. |
Hi team!
Sorry to bother, but I wanted to reraise a few unaddressed libxls vulnerabilities with you.
FWIW, this is triggering internal security alerts for us. We will need to address them eventually. I think our route forward is to drop support for xls files.
Is there anything that can be done on your end?
Thanks!
The text was updated successfully, but these errors were encountered: