poi-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allison, Timothy B." <talli...@mitre.org>
Subject RE: RE: [ANNOUNCE] Apache POI 3.17 released
Date Wed, 27 Sep 2017 17:22:45 GMT
I'm sorry for taking so long to get back to you.  After discussing with fellow devs, we'd prefer
not to open a separate CVE for each item.  In looking at the items you helpfully gathered,
we can categorize by type of problem and file formats affected.  I don't think we need to
open a CVE for NPE or other parse exceptions (61286, 61287, 61059, pull53).  For the others,
we could open a single CVE based on the poi-release (hey, these are now fixed in version 3.17)
or we might open two -- one for permanent hangs, one for OOM?  My preference would be one
CVE based on POI release.  

A full description in that one CVE will allow users to determine if 3.17 would protect them
based on file type -- your main goal, right?

To fellow Devs and David, how does this sound?

DETAILS:

This is my understanding, please let me know if I've missed any or misunderstood the impacts.

61338 permanent hang : WMF
61295 OOM :doc, ppt, xls
61294 permanent hang : macros, wmf, emf, msg
52372 OOM: doc, ppt, xls

61286, 61287, 61059, pull 53 -- not an OOM or permahang

-----Original Message-----
From: davidedillard@gmail.com [mailto:davidedillard@gmail.com] 
Sent: Tuesday, September 19, 2017 2:44 PM
To: user@poi.apache.org
Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released

On 2017-09-19 07:56, "Allison, Timothy B." <tallison@mitre.org> wrote: 
> David,
>   Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper
work.  Single CVE or multiple?
> 

My suggestion would be one CVE for each issue.  That way if a consuming project isn't affected
by a particular vulnerability (e.g. the vulnerabilities affect a file type that the consumer
doesn't use) they can avoid upgrading right away.

I believe the following are all vulnerabilities listed in the change log as being fixed since
3.16:

- 61338, "Avoid infinite loop in corrupt wmf"
- 61295, "Vector.read -- Java heap space on corrupt file"
- 61300, "Very slow processing on corrupted file"
- 61286, "can not deal with WriteProtectRecord element"
- 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of length
0"
- 61294, "IOUtils.skipFully can run into infinite loop"
- 61059, "Fix incorrect use of short when unsigned short was required in NamePtg"
- pull 53, "Adding Null Pointer check"
- 52372, "OutOfMemoryError parsing a word file"

The good news is that all of these are denial of service vulnerabilities, which aren't too
serious.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional commands, e-mail: user-help@poi.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org


Mime
View raw message