Debian Bug report logs -
#900000
tika: CVE-2018-1339
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 24 May 2018 14:27:01 UTC
Severity: important
Tags: security, upstream
Found in version tika/1.5-1
Fixed in version tika/1.18-1
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#900000; Package src:tika.
(Thu, 24 May 2018 14:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 24 May 2018 14:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tika
Version: 1.5-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for tika. Could you double
check the issue.
CVE-2018-1339[0]:
| A carefully crafted (or fuzzed) file can trigger an infinite loop in
| Apache Tika's ChmParser in versions of Apache Tika before 1.18.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1339
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1339
[1] http://www.openwall.com/lists/oss-security/2018/04/25/7
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#900000.
(Sat, 19 Jan 2019 23:12:09 GMT) (full text, mbox, link).
Message #8 received at 900000-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #900000 in tika reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/java-team/tika/commit/ff469711c0cb61e3d33b5d153ec7eb62d4a0eb81
------------------------------------------------------------------------
The new release fixes CVE-2018-1339 (Closes: #900000)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/900000
Added tag(s) pending.
Request was from Emmanuel Bourg <ebourg@apache.org>
to 900000-submitter@bugs.debian.org.
(Sat, 19 Jan 2019 23:12:09 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Sat, 19 Jan 2019 23:39:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 19 Jan 2019 23:39:09 GMT) (full text, mbox, link).
Message #15 received at 900000-close@bugs.debian.org (full text, mbox, reply):
Source: tika
Source-Version: 1.18-1
We believe that the bug you reported is fixed in the latest version of
tika, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated tika package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 20 Jan 2019 00:08:04 +0100
Source: tika
Binary: libtika-java
Architecture: source
Version: 1.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libtika-java - Apache Tika - content analysis toolkit
Closes: 825501 900000
Changes:
tika (1.18-1) unstable; urgency=medium
.
* New upstream release
- Fixes CVE-2016-4434: XML External Entity vulnerability (Closes: #825501)
- Fixes CVE-2018-1339: Infinite loop in the CHM parser (Closes: #900000)
- Refreshed the patches
- Ignore the new dl, eval, langdetect and nlp modules
- New dependencies on libcommons-exec-java, libjackson2-annotations-java,
libjackson2-core-java, libjackson2-databind-java, libhttpmime-java,
libjsoup-java, libuima-core-java, libandroid-json-org-java
and libjson-simple-java
- Depend on libpdfbox2-java instead of libpdfbox-java
- Depend on librome-java (>= 1.6)
- Depend on libapache-mime4j-java (>= 0.8.1)
- Depend on libapache-poi-java (>= 3.17)
- Ignore the new parsers with missing dependencies
* Enabled the mp4 parser
* Fixed the build failure with Java 11
Checksums-Sha1:
575e3b998aa917b405dc0d860d9254055ed35a9b 2668 tika_1.18-1.dsc
5e3296e786017f6c48e5b037119e67def2b7b108 2460536 tika_1.18.orig.tar.xz
7fa2e01a7b678acd0028c6f39ca57fc6ac76366c 7320 tika_1.18-1.debian.tar.xz
1921c9105f2727a8094a9d2d906b0334f3598307 16596 tika_1.18-1_source.buildinfo
Checksums-Sha256:
64eaa3dedec4a74f16b9d4b753aff226f671fa3399817e137dceb74e1828b84b 2668 tika_1.18-1.dsc
b107c1519f69cc041185984a765cc210d84063a77376ff7d726b504284be24d7 2460536 tika_1.18.orig.tar.xz
ef44ba42e64edd844bc4c410039278a2e49e904026d979f23a07e9e9f0c5a676 7320 tika_1.18-1.debian.tar.xz
b4c7d09d00afdb25f263a7f9fa78e4a911d2009e4bd79a5f1bd033615ce81284 16596 tika_1.18-1_source.buildinfo
Files:
76ece2170ee72d09da4f0a28e64b7156 2668 java optional tika_1.18-1.dsc
8a059ae0583ee590437b70cbddcb1473 2460536 java optional tika_1.18.orig.tar.xz
36aadb1079dfa3e34c4bb767b39eed56 7320 java optional tika_1.18-1.debian.tar.xz
3fd0aaefd99a576a824db645f2da4892 16596 java optional tika_1.18-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlxDrmESHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCs2MYQAKv03Susi/IF0UkPZ6noCfvtzDewzewe
dNG7p6izgZd01FNPc+Tv4glLHbsN0LpU/OGVZgf4UJFld6pwmVPQr0msy171tjmr
A+UkQKeARq4zMPAAbs0tbtENEkTo2tNK6KfYil/Zu6fWkC4fy0aDgCwgubux0xoW
p1wrSxQ4IiSioNkI0abE/P5QguwSCiuX89rj0Y+VGcKuIrTm8tu2l33bvpgHDHXJ
m2iyB7EtvwlaEdSjkH8sPusAuutb/1d4gofCNwV5OoVsKBKv8RN73yxExeDf7K9e
mdFDMh4LnLx+7tCRwH1kEN1vwvKviuv60SLKcnfp9JyQ8g76fZn0WQCpo6HGMrij
lIgXvDE94O2+R09CqpJJVl7fe6GjVJo7DUnHOLnqHX7wx+qtuxoSGavQptSoOvGf
/6ITBu6TljTutEWNENcVYqZ1vEoDiODa2cmbYGkxHpjrLl1esnfQdrgGRh/1vKU1
20AvYyFwHDdfqC6T3Cg+cMLDZtnsAiyPkrkrjmCFbMF4u1LJYZ8Luon8uC+vm0Db
a03aSS5Y4FY7xDlNPa5iY9ZZWpiAuadezw11riUIqeXPIBur0xJQvLuW4/cWMGAt
mGRkHXeN44M1F+Qy4EPhX/t13GPkJ4tF4eiEoNWd0LTbrDPgBP6tXdRoOoY7xc4D
D1rUqW6jxCq8
=l2eo
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Feb 2019 07:24:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:08:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon