[Pkg-puppet-devel] Bug#825501: CVE-2016-4434

Cyril Brulebois kibi at debian.org
Mon Dec 31 00:13:51 GMT 2018


Heya,

Not the maintainer either, just joining the fun to see if I can help get
stuff to move; my main motivation behind this is trying to get the
puppetdb → pantomime-clojure → tika dependency chain in a suitable state
for buster (other *-clojure packages need fixing, but FTBFSes have
patches/MRs now, and uploads should be happening soon enough; but
there's still comidi-clojure's #889125 to keep me busy anyway…)


Salvatore Bonaccorso <carnil at debian.org> (2018-01-18):
> The issue is claimed to be fixed in upstream 1.13 (and as Moritz
> pointed out a test was added. Comparing commits between 1.12 and 1.13
> I was unable to isolate the relevant commit(s), but there are some
> touching the code for "OOXML files and XMP in PDF and other file
> formats".

Right, I haven't been able to pinpoint the exact changes, but those
could be “hidden” in things like pdfbox version bumps, etc. Even if a
specific fix for 1.5 would be identified, it seems hard to get it to
build; I've tried that just to see what was feasible, and it doesn't
look good anyway:

  https://bugs.debian.org/850798#12

Not being a Java expert, I've then moved to giving the latest upstream
release (1.20) a shot, but there were too many red things, so I've tried
to aim at 1.13 “only”, to get this CVE addressed.

My WIP is available there:
  https://salsa.debian.org/kibi/tika
  https://salsa.debian.org/kibi/tika/commits/master

Downloaded and imported 1.13 with uscan, then failed to apply patches,
(almost) all of which I've disabled. I've number mine 90+ for easy
identification.

First failure was missing version for junit dependencies:
| [ERROR] [ERROR] Some problems were encountered while processing the POMs:
| […]
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-serialization:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-serialization/pom.xml) has 1 error
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-serialization:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-serialization/pom.xml, line 59, column 17
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-batch:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-batch/pom.xml) has 1 error
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-batch:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-batch/pom.xml, line 85, column 17
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-translate:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-translate/pom.xml) has 1 error
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-translate:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-translate/pom.xml, line 66, column 17
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-langdetect:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-langdetect/pom.xml) has 1 error
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-langdetect:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-langdetect/pom.xml, line 64, column 17
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-example:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-example/pom.xml) has 1 error
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-example:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-example/pom.xml, line 114, column 17

Hence debian/patches/90-add-junit-version.patch


Next failure:
| [ERROR] Error resolving version for plugin 'org.apache.maven.plugins:maven-javadoc-plugin' from the repositories [local (/home/kibi/hack/bsp/puppetdb-builds/tika.git/debian/maven-repo), central (https://repo.maven.apache.org/maven2)]: Plugin not found in any plugin repository -> [Help 1]

so I've added libmaven-javadoc-plugin-java to B-D-I.


Next failure, an unknown package:
| [INFO] Reactor Summary for Apache Tika 1.13:
| [INFO] 
| [INFO] Apache Tika parent ................................. FAILURE [  0.011 s]
| [INFO] Apache Tika core ................................... SKIPPED
| [INFO] Apache Tika parsers ................................ SKIPPED
| [INFO] Apache Tika XMP .................................... SKIPPED
| [INFO] Apache Tika serialization .......................... SKIPPED
| [INFO] Apache Tika batch .................................. SKIPPED
| [INFO] Apache Tika language detection ..................... SKIPPED
| [INFO] Apache Tika translate .............................. SKIPPED
| [INFO] Apache Tika examples ............................... SKIPPED
| [INFO] Apache Tika Java-7 Components ...................... SKIPPED
| [INFO] Apache Tika ........................................ SKIPPED
| [INFO] ------------------------------------------------------------------------
| [INFO] BUILD FAILURE
| [INFO] ------------------------------------------------------------------------
| [INFO] Total time:  1.033 s
| [INFO] Finished at: 2018-12-30T23:56:45Z
| [INFO] ------------------------------------------------------------------------
| [ERROR] Plugin de.thetaphi:forbiddenapis:2.0 or one of its dependencies could not be resolved: Cannot access central (https://repo.maven.apache.org/maven2) in offline mode and the artifact de.thetaphi:forbiddenapis:jar:2.0 has not been downloaded from it before. -> [Help 1]

so I've patched it out, esp. given we have these comments:
|       <!-- The Tika Bundle has no java code of its own, so no need to do -->
|       <!--  any forbidden API checking against it (it gets confused...) -->

and it's marked skip=true, which made it like optional enough…

Hence debian/patches/91-drop-forbiddenapis-dependency.patch


Next issue:
| [INFO] Reactor Summary for Apache Tika 1.13:
| [INFO] 
| [INFO] Apache Tika parent ................................. SUCCESS [  0.004 s]
| [INFO] Apache Tika core ................................... SUCCESS [  4.768 s]
| [INFO] Apache Tika parsers ................................ FAILURE [  0.007 s]
| [INFO] Apache Tika XMP .................................... SKIPPED
| [INFO] Apache Tika serialization .......................... SKIPPED
| [INFO] Apache Tika batch .................................. SKIPPED
| [INFO] Apache Tika language detection ..................... SKIPPED
| [INFO] Apache Tika translate .............................. SKIPPED
| [INFO] Apache Tika examples ............................... SKIPPED
| [INFO] Apache Tika Java-7 Components ...................... SKIPPED
| [INFO] Apache Tika ........................................ SKIPPED
| [INFO] ------------------------------------------------------------------------
| [INFO] BUILD FAILURE
| [INFO] ------------------------------------------------------------------------
| [INFO] Total time:  5.829 s
| [INFO] Finished at: 2018-12-31T00:01:51Z
| [INFO] ------------------------------------------------------------------------
| [ERROR] Error resolving version for plugin 'org.codehaus.gmaven:groovy-maven-plugin' from the repositories [local (/home/kibi/hack/bsp/puppetdb-builds/tika.git/debian/maven-repo), central (https://repo.maven.apache.org/maven2)]: Plugin not found in any plugin repository -> [Help 1]

so I've patched it out, as it appears in a profile with the “testSetup”
id, which I thought might not be entirely needed.

Hence debian/patches/92-drop-groovy-maven-plugin-dependency.patch


Next issue:
| [INFO] Reactor Summary for Apache Tika 1.13:
| [INFO] 
| [INFO] Apache Tika parent ................................. SUCCESS [  0.002 s]
| [INFO] Apache Tika core ................................... SUCCESS [  4.163 s]
| [INFO] Apache Tika parsers ................................ FAILURE [  0.127 s]
| [INFO] Apache Tika XMP .................................... SKIPPED
| [INFO] Apache Tika serialization .......................... SKIPPED
| [INFO] Apache Tika batch .................................. SKIPPED
| [INFO] Apache Tika language detection ..................... SKIPPED
| [INFO] Apache Tika translate .............................. SKIPPED
| [INFO] Apache Tika examples ............................... SKIPPED
| [INFO] Apache Tika Java-7 Components ...................... SKIPPED
| [INFO] Apache Tika ........................................ SKIPPED
| [INFO] ------------------------------------------------------------------------
| [INFO] BUILD FAILURE
| [INFO] ------------------------------------------------------------------------
| [INFO] Total time:  5.366 s
| [INFO] Finished at: 2018-12-31T00:06:02Z
| [INFO] ------------------------------------------------------------------------
| [ERROR] Failed to execute goal on project tika-parsers: Could not resolve dependencies for project org.apache.tika:tika-parsers:jar:1.13: The following artifacts could not be resolved: org.apache.tika:tika-core:jar:tests:debian, org.gagravarr:vorbis-java-tika:jar:debian, com.healthmarketscience.jackcess:jackcess:jar:debian, com.healthmarketscience.jackcess:jackcess-encrypt:jar:debian, net.sourceforge.jmatio:jmatio:jar:debian, org.apache.pdfbox:pdfbox-tools:jar:debian, com.rometools:rome:jar:debian, org.codelibs:jhighlight:jar:debian, com.pff:java-libpst:jar:debian, com.github.junrar:junrar:jar:debian, org.apache.cxf:cxf-rt-rs-client:jar:debian, org.xerial:sqlite-jdbc:jar:debian, org.apache.opennlp:opennlp-tools:jar:debian, org.apache.commons:commons-exec:jar:debian, com.googlecode.json-simple:json-simple:jar:debian, org.json:json:jar:debian, com.google.code.gson:gson:jar:debian, com.github.jai-imageio:jai-imageio-core:jar:debian, edu.ucar:netcdf4:jar:debian, edu.ucar:grib:jar:debian, edu.ucar:cdm:jar:debian, edu.ucar:httpservices:jar:debian, org.apache.commons:commons-csv:jar:debian, org.apache.sis.core:sis-utility:jar:debian, org.apache.sis.storage:sis-netcdf:jar:debian, org.apache.sis.core:sis-metadata:jar:debian, org.opengis:geoapi:jar:debian, org.apache.ctakes:ctakes-core:jar:debian, com.fasterxml.jackson.core:jackson-core:jar:debian: Cannot access central (https://repo.maven.apache.org/maven2) in offline mode and the artifact org.apache.tika:tika-core:jar:tests:debian has not been downloaded from it before. -> [Help 1]

As I've seen other patches marking similar dependencies as optional in
tika-parsers/pom.xml, I've tried to mimick that; unfortunately without
any changes in the output.

Anyway, this is debian/patches/93-mark-parsers-dependencies-as-optional.patch


Some advice on where to go from here would be welcome: does it make
sense to try and get the right hammer to get 1.13 in a buildable state?
Should one try to package 1.20 instead anyway? Please note I haven't even
checked yet what version could work for pantomime-clojure.

(I've cc'ed the Puppet Package Maintainers on this mail for wider reach.)


Cheers,
-- 
Cyril Brulebois (kibi at debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-puppet-devel/attachments/20181231/35f62546/attachment-0003.sig>


More information about the Pkg-puppet-devel mailing list