Debian Bug report logs - #900000

tika: CVE-2018-1339

Reported by: Salvatore Bonaccorso <carnil@debian.org> Date: Thu, 24 May 2018 14:27:01 UTC Severity: important Tags: security, upstream Found in version tika/1.5-1 Fixed in version tika/1.18-1 Done: Emmanuel Bourg <ebourg@apache.org> Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> :

Bug#900000 ; Package src:tika . (Thu, 24 May 2018 14:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org> :

New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> . (Thu, 24 May 2018 14:27:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: tika: CVE-2018-1339 Date: Thu, 24 May 2018 16:24:12 +0200

Source: tika Version: 1.5-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for tika. Could you double check the issue. CVE-2018-1339[0]: | A carefully crafted (or fuzzed) file can trigger an infinite loop in | Apache Tika's ChmParser in versions of Apache Tika before 1.18. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1339 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1339 [1] http://www.openwall.com/lists/oss-security/2018/04/25/7 Regards, Salvatore

Message sent on to Salvatore Bonaccorso <carnil@debian.org> :

Bug#900000. (Sat, 19 Jan 2019 23:12:09 GMT) (full text, mbox, link).

Message #8 received at 900000-submitter@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org> To: 900000-submitter@bugs.debian.org Subject: Bug #900000 in tika marked as pending Date: Sat, 19 Jan 2019 23:10:55 +0000

Control: tag -1 pending Hello, Bug #900000 in tika reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/java-team/tika/commit/ff469711c0cb61e3d33b5d153ec7eb62d4a0eb81 ------------------------------------------------------------------------ The new release fixes CVE-2018-1339 (Closes: #900000) ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/900000

Added tag(s) pending. Request was from Emmanuel Bourg <ebourg@apache.org> to 900000-submitter@bugs.debian.org . (Sat, 19 Jan 2019 23:12:09 GMT) (full text, mbox, link).

Reply sent to Emmanuel Bourg <ebourg@apache.org> :

You have taken responsibility. (Sat, 19 Jan 2019 23:39:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org> :

Bug acknowledged by developer. (Sat, 19 Jan 2019 23:39:09 GMT) (full text, mbox, link).

Message #15 received at 900000-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org> To: 900000-close@bugs.debian.org Subject: Bug#900000: fixed in tika 1.18-1 Date: Sat, 19 Jan 2019 23:35:47 +0000

Source: tika Source-Version: 1.18-1 We believe that the bug you reported is fixed in the latest version of tika, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900000@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebourg@apache.org> (supplier of updated tika package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 20 Jan 2019 00:08:04 +0100 Source: tika Binary: libtika-java Architecture: source Version: 1.18-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebourg@apache.org> Description: libtika-java - Apache Tika - content analysis toolkit Closes: 825501 900000 Changes: tika (1.18-1) unstable; urgency=medium . * New upstream release - Fixes CVE-2016-4434: XML External Entity vulnerability (Closes: #825501) - Fixes CVE-2018-1339: Infinite loop in the CHM parser (Closes: #900000) - Refreshed the patches - Ignore the new dl, eval, langdetect and nlp modules - New dependencies on libcommons-exec-java, libjackson2-annotations-java, libjackson2-core-java, libjackson2-databind-java, libhttpmime-java, libjsoup-java, libuima-core-java, libandroid-json-org-java and libjson-simple-java - Depend on libpdfbox2-java instead of libpdfbox-java - Depend on librome-java (>= 1.6) - Depend on libapache-mime4j-java (>= 0.8.1) - Depend on libapache-poi-java (>= 3.17) - Ignore the new parsers with missing dependencies * Enabled the mp4 parser * Fixed the build failure with Java 11 Checksums-Sha1: 575e3b998aa917b405dc0d860d9254055ed35a9b 2668 tika_1.18-1.dsc 5e3296e786017f6c48e5b037119e67def2b7b108 2460536 tika_1.18.orig.tar.xz 7fa2e01a7b678acd0028c6f39ca57fc6ac76366c 7320 tika_1.18-1.debian.tar.xz 1921c9105f2727a8094a9d2d906b0334f3598307 16596 tika_1.18-1_source.buildinfo Checksums-Sha256: 64eaa3dedec4a74f16b9d4b753aff226f671fa3399817e137dceb74e1828b84b 2668 tika_1.18-1.dsc b107c1519f69cc041185984a765cc210d84063a77376ff7d726b504284be24d7 2460536 tika_1.18.orig.tar.xz ef44ba42e64edd844bc4c410039278a2e49e904026d979f23a07e9e9f0c5a676 7320 tika_1.18-1.debian.tar.xz b4c7d09d00afdb25f263a7f9fa78e4a911d2009e4bd79a5f1bd033615ce81284 16596 tika_1.18-1_source.buildinfo Files: 76ece2170ee72d09da4f0a28e64b7156 2668 java optional tika_1.18-1.dsc 8a059ae0583ee590437b70cbddcb1473 2460536 java optional tika_1.18.orig.tar.xz 36aadb1079dfa3e34c4bb767b39eed56 7320 java optional tika_1.18-1.debian.tar.xz 3fd0aaefd99a576a824db645f2da4892 16596 java optional tika_1.18-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlxDrmESHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCs2MYQAKv03Susi/IF0UkPZ6noCfvtzDewzewe dNG7p6izgZd01FNPc+Tv4glLHbsN0LpU/OGVZgf4UJFld6pwmVPQr0msy171tjmr A+UkQKeARq4zMPAAbs0tbtENEkTo2tNK6KfYil/Zu6fWkC4fy0aDgCwgubux0xoW p1wrSxQ4IiSioNkI0abE/P5QguwSCiuX89rj0Y+VGcKuIrTm8tu2l33bvpgHDHXJ m2iyB7EtvwlaEdSjkH8sPusAuutb/1d4gofCNwV5OoVsKBKv8RN73yxExeDf7K9e mdFDMh1LnLx+7tCRwH1kEN1vwvKviuv60SLKcnfp9JyQ8g76fZn0WQCpo6HGMrij lIgXvDE94O2+R09CqpJJVl7fe6GjVJo7DUnHOLnqHX7wx+qtuxoSGavQptSoOvGf /6ITBu6TljTutEWNENcVYqZ1vEoDiODa2cmbYGkxHpjrLl1esnfQdrgGRh/1vKU1 20AvYyFwHDdfqC6T3Cg+cMLDZtnsAiyPkrkrjmCFbMF4u1LJYZ8Luon8uC+vm0Db a03aSS5Y4FY7xDlNPa5iY9ZZWpiAuadezw11riUIqeXPIBur0xJQvLuW4/cWMGAt mGRkHXeN44M1F+Qy4EPhX/t13GPkJ4tF4eiEoNWd0LTbrDPgBP6tXdRoOoY7xc4D D1rUqW6jxCq8 =l2eo -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org . (Sun, 24 Feb 2019 07:24:46 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.