[prev in list] [next in list] [prev in thread] [next in thread] 

List:       poi-user
Subject:    RE: RE: [ANNOUNCE] Apache POI 3.17 released
From:       "Allison, Timothy B." <tallison () mitre ! org>
Date:       2017-09-27 17:22:45
Message-ID: MWHPR09MB1391D749F3908B526F2F11E8C7780 () MWHPR09MB1391 ! namprd09 ! prod ! outlook ! com
[Download RAW message or body]

I'm sorry for taking so long to get back to you.  After discussing with fellow devs, \
we'd prefer not to open a separate CVE for each item.  In looking at the items you \
helpfully gathered, we can categorize by type of problem and file formats affected.  \
I don't think we need to open a CVE for NPE or other parse exceptions (61286, 61287, \
61059, pull53).  For the others, we could open a single CVE based on the poi-release \
(hey, these are now fixed in version 3.17) or we might open two -- one for permanent \
hangs, one for OOM?  My preference would be one CVE based on POI release.  

A full description in that one CVE will allow users to determine if 3.17 would \
protect them based on file type -- your main goal, right?

To fellow Devs and David, how does this sound?

DETAILS:

This is my understanding, please let me know if I've missed any or misunderstood the \
impacts.

61338 permanent hang : WMF
61295 OOM :doc, ppt, xls
61294 permanent hang : macros, wmf, emf, msg
52372 OOM: doc, ppt, xls

61286, 61287, 61059, pull 53 -- not an OOM or permahang

-----Original Message-----
From: davidedillard@gmail.com [mailto:davidedillard@gmail.com] 
Sent: Tuesday, September 19, 2017 2:44 PM
To: user@poi.apache.org
Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released

On 2017-09-19 07:56, "Allison, Timothy B." <tallison@mitre.org> wrote: 
> David,
> Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper \
> work.  Single CVE or multiple? 

My suggestion would be one CVE for each issue.  That way if a consuming project isn't \
affected by a particular vulnerability (e.g. the vulnerabilities affect a file type \
that the consumer doesn't use) they can avoid upgrading right away.

I believe the following are all vulnerabilities listed in the change log as being \
fixed since 3.16:

- 61338, "Avoid infinite loop in corrupt wmf"
- 61295, "Vector.read -- Java heap space on corrupt file"
- 61300, "Very slow processing on corrupted file"
- 61286, "can not deal with WriteProtectRecord element"
- 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of \
                length 0"
- 61294, "IOUtils.skipFully can run into infinite loop"
- 61059, "Fix incorrect use of short when unsigned short was required in NamePtg"
- pull 53, "Adding Null Pointer check"
- 52372, "OutOfMemoryError parsing a word file"

The good news is that all of these are denial of service vulnerabilities, which \
aren't too serious.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional commands, \
e-mail: user-help@poi.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]