[prev in list] [next in list] [prev in thread] [next in thread]
List: poi-user
Subject: RE: RE: [ANNOUNCE] Apache POI 3.17 released
From: "Allison, Timothy B." <tallison () mitre ! org>
Date: 2017-09-27 17:22:45
Message-ID: MWHPR09MB1391D749F3908B526F2F11E8C7780 () MWHPR09MB1391 ! namprd09 ! prod ! outlook ! com
[Download RAW message or body]
I'm sorry for taking so long to get back to you. After discussing with fellow devs, \
we'd prefer not to open a separate CVE for each item. In looking at the items you \
helpfully gathered, we can categorize by type of problem and file formats affected. \
I don't think we need to open a CVE for NPE or other parse exceptions (61286, 61287, \
61059, pull53). For the others, we could open a single CVE based on the poi-release \
(hey, these are now fixed in version 3.17) or we might open two -- one for permanent \
hangs, one for OOM? My preference would be one CVE based on POI release.
A full description in that one CVE will allow users to determine if 3.17 would \
protect them based on file type -- your main goal, right?
To fellow Devs and David, how does this sound?
DETAILS:
This is my understanding, please let me know if I've missed any or misunderstood the \
impacts.
61338 permanent hang : WMF
61295 OOM :doc, ppt, xls
61294 permanent hang : macros, wmf, emf, msg
52372 OOM: doc, ppt, xls
61286, 61287, 61059, pull 53 -- not an OOM or permahang
-----Original Message-----
From: davidedillard@gmail.com [mailto:davidedillard@gmail.com]
Sent: Tuesday, September 19, 2017 2:44 PM
To: user@poi.apache.org
Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released
On 2017-09-19 07:56, "Allison, Timothy B." <tallison@mitre.org> wrote:
> David,
> Thank you for raising this issue. If fellow devs are +1, I can fill out the paper \
> work. Single CVE or multiple?
My suggestion would be one CVE for each issue. That way if a consuming project isn't \
affected by a particular vulnerability (e.g. the vulnerabilities affect a file type \
that the consumer doesn't use) they can avoid upgrading right away.
I believe the following are all vulnerabilities listed in the change log as being \
fixed since 3.16:
- 61338, "Avoid infinite loop in corrupt wmf"
- 61295, "Vector.read -- Java heap space on corrupt file"
- 61300, "Very slow processing on corrupted file"
- 61286, "can not deal with WriteProtectRecord element"
- 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of \
length 0"
- 61294, "IOUtils.skipFully can run into infinite loop"
- 61059, "Fix incorrect use of short when unsigned short was required in NamePtg"
- pull 53, "Adding Null Pointer check"
- 52372, "OutOfMemoryError parsing a word file"
The good news is that all of these are denial of service vulnerabilities, which \
aren't too serious.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional commands, \
e-mail: user-help@poi.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic