Bug#825501: CVE-2016-4434

Salvatore Bonaccorso carnil at debian.org
Thu Jan 18 21:36:24 UTC 2018


Hi Faidon,

On Fri, Jan 12, 2018 at 07:54:58PM +0100, Moritz Muehlenhoff wrote:
> On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote:
> > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote:
> > > please see http://seclists.org/oss-sec/2016/q2/413  for details.
> > 
> > That link says:
> >   Versions Affected: 
> >   Apache Tika 0.10 to 1.12
> > 
> > So perhaps 1.5 isn't affected after all? I tried to find the relevant
> > commit in the upstream git but failed :(
> 
> Commit https://github.com/apache/tika/commit/f444fd784b99b181cd7bd54cdec9fbd132b4ef93
> in 1.17 added a test case, so this might be related to changes in Xerces/J
> which are possibly bundled by Tika downloads? Might be worth clarifying with
> Tim Allison <tallison at apache.org>.

Above, you said "so perhaps 1.5 isn't affected after all?". But why
this conclusion? 1.5 as currently in unstable and oldstable present
falls within the affected range of 0.15 and 1.12.

The issue is claimed to be fixed in upstream 1.13 (and as Moritz
pointed out a test was added. Comparing commits between 1.12 and 1.13
I was unable to isolate the relevant commit(s), but there are some
touching the code for "OOXML files and XMP in PDF and other file
formats".

So yes, maybe Tim Allison can help identify which are the required
commits, but best course might just to try to update to the newest
upstream version for unstable.

Regards,
Salvatore



More information about the pkg-java-maintainers mailing list