Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libapache-poi-java: CVE-2017-12626: Denial of Service Vulnerabilities

Related Vulnerabilities: CVE-2017-12626   CVE-2017-5644  

Source

Debian Bug report logs - #888651
libapache-poi-java: CVE-2017-12626: Denial of Service Vulnerabilities

version graph

Package: src:libapache-poi-java; Maintainer for src:libapache-poi-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 28 Jan 2018 12:24:02 UTC

Severity: important

Tags: security, upstream

Found in version libapache-poi-java/3.10.1-1

Fixed in version libapache-poi-java/3.17-1

Done: Emmanuel Bourg <ebourg@apache.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888651; Package src:libapache-poi-java. (Sun, 28 Jan 2018 12:24:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 28 Jan 2018 12:24:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapache-poi-java: CVE-2017-12626: Denial of Service Vulnerabilities
Date: Sun, 28 Jan 2018 13:22:01 +0100
Source: libapache-poi-java
Version: 3.10.1-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libapache-poi-java, I
was not able to verify each other of the upstream bugs, but according
to [1] any version prior to 3.17 are affected.

CVE-2017-12626[0]:
Denial of Service Vulnerabilities

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12626
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12626
[1] http://www.openwall.com/lists/oss-security/2018/01/26/7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#888651. (Thu, 17 Jan 2019 10:12:07 GMT) (full text, mbox, link).

Message #8 received at 888651-submitter@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: 888651-submitter@bugs.debian.org
Subject: Bug #888651 in libapache-poi-java marked as pending
Date: Thu, 17 Jan 2019 10:09:36 +0000
Control: tag -1 pending

Hello,

Bug #888651 in libapache-poi-java reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/libapache-poi-java/commit/52d865ad29329a4f8eadebe56cf075b7b893d3b5

------------------------------------------------------------------------
The new release fixes CVE-2017-12626 (Closes: #888651)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/888651

Added tag(s) pending. Request was from Emmanuel Bourg <ebourg@apache.org> to 888651-submitter@bugs.debian.org. (Thu, 17 Jan 2019 10:12:07 GMT) (full text, mbox, link).

Reply sent to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility. (Thu, 17 Jan 2019 10:39:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 17 Jan 2019 10:39:07 GMT) (full text, mbox, link).

Message #15 received at 888651-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: 888651-close@bugs.debian.org
Subject: Bug#888651: fixed in libapache-poi-java 3.17-1
Date: Thu, 17 Jan 2019 10:35:06 +0000
Source: libapache-poi-java
Source-Version: 3.17-1

We believe that the bug you reported is fixed in the latest version of
libapache-poi-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888651@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libapache-poi-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 17 Jan 2019 10:43:53 +0100
Source: libapache-poi-java
Binary: libapache-poi-java libapache-poi-java-doc
Architecture: source
Version: 3.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libapache-poi-java - Apache POI - Java API for Microsoft Documents
 libapache-poi-java-doc - Apache POI - Java API for Microsoft Documents (Documentation)
Closes: 800958 858301 888651
Changes:
 libapache-poi-java (3.17-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release (Closes: #800958)
     - Fixes CVE-2017-5644: XML Entity Expansion (XEE) attack with specially
       crafted OOXML file (Closes: #858301)
     - Fixes CVE-2017-12626: Infinite Loops while parsing crafted WMF, EMF, MSG
       and macros. Out of memory errors while parsing crafted DOC, PPT and XLS
       (Closes: #888651)
     - Refreshed the patches
     - New dependencies on libcurvesapi-java and libcommons-collections4-java
     - Updated the path to the Maven artifacts produced by the build
     - Added xmlbeans to the build classpath
     - Patched the xsds to resolve the external schemas in offline mode
     - Disabled the JMH benchmarks
   * Build with Java 8 temporarily
   * Standards-Version updated to 4.3.0
Checksums-Sha1:
 f3709123708d1e328d320baa668b2e065e4a96f3 2504 libapache-poi-java_3.17-1.dsc
 6b31a72cdca37494362ca9a0dc9b2095d543ff26 71723032 libapache-poi-java_3.17.orig.tar.xz
 3a3bebb374f4a459482092f1d5d115814e8aa03a 11736 libapache-poi-java_3.17-1.debian.tar.xz
 309fe75367457bc457c1165558a61071865fcf2c 14547 libapache-poi-java_3.17-1_source.buildinfo
Checksums-Sha256:
 112ae1fe5383bdaa9cf1db75b0eb65da5a319e4cf3efc5eb71732267e7bb2ba1 2504 libapache-poi-java_3.17-1.dsc
 d6491e73830b0331e66a431fd9823f682ac1a81b80412f28658d32018b6dec1e 71723032 libapache-poi-java_3.17.orig.tar.xz
 319489d9cf3b659f8d3369d53dc61c71c8e44558a064a13a9edcca473a6d677e 11736 libapache-poi-java_3.17-1.debian.tar.xz
 3dc591d35fdf0bc203a3744ca0e11bc1d0c4d44b79541005407462f94dc72296 14547 libapache-poi-java_3.17-1_source.buildinfo
Files:
 490ac72e18356a51470a5107d2a61f01 2504 java optional libapache-poi-java_3.17-1.dsc
 85b30b6906fc2943cf2817c4f718b323 71723032 java optional libapache-poi-java_3.17.orig.tar.xz
 c747cabf11998ed0a73aa6a9cfa3a1cd 11736 java optional libapache-poi-java_3.17-1.debian.tar.xz
 955554d170ef838800e4a1543c728bcf 14547 java optional libapache-poi-java_3.17-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlxAVEMSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsIiIP/jlWPBZsfjuWDjuk+t1wyWi73X1iUu6N
t4nd9u4omGhCNjTVuCw825VoyHS3k7erXakyfMtxk5RpGLWn4Ifj2kEYHVfCYb4d
HMA94lu2tPpRhS5BCLN9H6BxskIPi06S1FYb5DqbT+m4ZIPDtMV5d8DG50F6xieh
ygM070ZyD3IYBblYKXkQmoBsL80c8gdCLIozJpbG3zMV69P6GQDwurAnajBs7tdY
vMP0h4nRyHn3IrlAHvrFgWy6xxlcMiv1y2G/xtREQr339rTqpIF7SZBSZ17gQIjY
srWwZygAIF8AKMjPpB0oNZZgGz0SnApgkpotgiaLVp9i7vHy2hMdtlIWoz0s9qoP
M9eQyvTMlWYh72vCiqc0guAycPBrFSKK/CdOHh48jAZYmU9hh/E6oEaQ1BHktIQp
edIw7/GSbAjkKdJKITfMt5KFd6LfFuJVUODuBFE/M1AGNCyu/PL7uFQfPmaURmRE
h/lFKUtX57Hk3EZx6OWQ3QJzt0volmoNTpY9O3kUlWI7XfWsxHpil0WxV3xV/zwv
Pl4FuTeNor14hXlwD4HbniDShwpyfUfma812b7cmAwP8qi51iUhsGV9NQNFunzo7
UkGBGKxPzb/MgqNOYvhdyBqjbP6sxFEp97mXbUkt7yM0ehLtROw9CTlz0MceWNX5
09UVHKPhvN0Y
=TMsi
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Feb 2019 07:29:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:42:00 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started