[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-33879: Apache Tika: Incomplete fix and new regex DoS in StandardsExtractingC
From:       Tim Allison <tallison () apache ! org>
Date:       2022-06-27 20:30:57
Message-ID: 98a8ea54-34b2-8826-b198-19d5a1acbbf6 () apache ! org
[Download RAW message or body]

Severity: low

Description:

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the =
StandardsExtractingContentHandler were insufficient, and we found a =
separate, new regex DoS in a different regex in the =
StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.=


Credit:

This incomplete fix was discovered and reported by the CodeQL team member =
[@atorralba (Tony Torralba)](https://github.com/atorralba) and [@jarlob =
(Jaroslav Loba=C4=8Devski)](https://github.com/jarlob) from Github Security=
 Lab.  The new ReDos was discovered by the Apache Tika team.

[prev in list] [next in list] [prev in thread] [next in thread]