poi-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allison, Timothy B." <talli...@mitre.org>
Subject RE: RE: [ANNOUNCE] Apache POI 3.17 released
Date Wed, 27 Sep 2017 17:22:45 GMT
I'm sorry for taking so long to get back to you.  After discussing with fellow devs, we'd prefer
not to open a separate CVE for each item.  In looking at the items you helpfully gathered,
we can categorize by type of problem and file formats affected.  I don't think we need to
open a CVE for NPE or other parse exceptions (61286, 61287, 61059, pull53).  For the others,
we could open a single CVE based on the poi-release (hey, these are now fixed in version 3.17)
or we might open two -- one for permanent hangs, one for OOM?  My preference would be one
CVE based on POI release.  

A full description in that one CVE will allow users to determine if 3.17 would protect them
based on file type -- your main goal, right?

To fellow Devs and David, how does this sound?


This is my understanding, please let me know if I've missed any or misunderstood the impacts.

61338 permanent hang : WMF
61295 OOM :doc, ppt, xls
61294 permanent hang : macros, wmf, emf, msg
52372 OOM: doc, ppt, xls

61286, 61287, 61059, pull 53 -- not an OOM or permahang

-----Original Message-----
From: davidedillard@gmail.com [mailto:davidedillard@gmail.com] 
Sent: Tuesday, September 19, 2017 2:44 PM
To: user@poi.apache.org
Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released

On 2017-09-19 07:56, "Allison, Timothy B." <tallison@mitre.org> wrote: 
> David,
>   Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper
work.  Single CVE or multiple?

My suggestion would be one CVE for each issue.  That way if a consuming project isn't affected
by a particular vulnerability (e.g. the vulnerabilities affect a file type that the consumer
doesn't use) they can avoid upgrading right away.

I believe the following are all vulnerabilities listed in the change log as being fixed since

- 61338, "Avoid infinite loop in corrupt wmf"
- 61295, "Vector.read -- Java heap space on corrupt file"
- 61300, "Very slow processing on corrupted file"
- 61286, "can not deal with WriteProtectRecord element"
- 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of length
- 61294, "IOUtils.skipFully can run into infinite loop"
- 61059, "Fix incorrect use of short when unsigned short was required in NamePtg"
- pull 53, "Adding Null Pointer check"
- 52372, "OutOfMemoryError parsing a word file"

The good news is that all of these are denial of service vulnerabilities, which aren't too

To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional commands, e-mail: user-help@poi.apache.org

To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org

View raw message