[Pkg-puppet-devel] Bug#825501: CVE-2016-4434
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 31 07:04:18 GMT 2018
Hi Cyril,
[I have not looked in detail on your poposal this is mainly focusing on
one item below]
On Mon, Dec 31, 2018 at 01:13:51AM +0100, Cyril Brulebois wrote:
> Heya,
>
> Not the maintainer either, just joining the fun to see if I can help get
> stuff to move; my main motivation behind this is trying to get the
> puppetdb → pantomime-clojure → tika dependency chain in a suitable state
> for buster (other *-clojure packages need fixing, but FTBFSes have
> patches/MRs now, and uploads should be happening soon enough; but
> there's still comidi-clojure's #889125 to keep me busy anyway…)
>
>
> Salvatore Bonaccorso <carnil at debian.org> (2018-01-18):
> > The issue is claimed to be fixed in upstream 1.13 (and as Moritz
> > pointed out a test was added. Comparing commits between 1.12 and 1.13
> > I was unable to isolate the relevant commit(s), but there are some
> > touching the code for "OOXML files and XMP in PDF and other file
> > formats".
>
> Right, I haven't been able to pinpoint the exact changes, but those
> could be “hidden” in things like pdfbox version bumps, etc. Even if a
> specific fix for 1.5 would be identified, it seems hard to get it to
> build; I've tried that just to see what was feasible, and it doesn't
> look good anyway:
>
> https://bugs.debian.org/850798#12
>
> Not being a Java expert, I've then moved to giving the latest upstream
> release (1.20) a shot, but there were too many red things, so I've tried
> to aim at 1.13 “only”, to get this CVE addressed.
I think though that would not be sensible in the following way: the
mentioned CVE is not the only one affecting, currently there are the
following open (some have associated Debian BTS bugreports, other have
not yet):
https://security-tracker.debian.org/tracker/source-package/tika
Furthermore if we only update to 1.13 there are likely some of the
currently <not-affected> CVEs which will make tika affected, because
the issue was introduced post 1.5. One example of this is for instance
CVE-2016-6809, where the Matlab file parser was only introduced in 1.6
and the issue fixed in 1.14. Or CVE-2018-17197 which affects 1.8 to
1.19.1. CVE-2018-1338, which was introduced in 1.7. CVE-2018-1335,
present from 1.7 to 1.17.
There might be others, so I think the new upstream version fixing all
known current CVE is actually needed.
Regards,
Salvatore
More information about the Pkg-puppet-devel
mailing list