Re: [ANNOUNCE] Apache POI 3.17 released

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] Apache POI 3.17 released

davidedillard@gmail.com
On 2017-09-16 18:06, Andreas Beeker <[hidden email]> wrote:
> The Apache POI project is pleased to announce the release of POI 3.17.
> Featured are a handful of new areas of functionality, and numerous bug fixes.
> Changes
> ------------
> The most notable changes in this release are:
>
> - Various modules: add sanity checks and fix infinite loops / OOMs caused by fuzzed data

I've looked through the specific changes and several appear to be vulnerabilities (e.g. 61294 and 61300 among others).  Is the POI project planning to get CVEs for these issues?  If not, I'm happy to get them myself.  It makes the world a better place :-)


Thanks,

David

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [ANNOUNCE] Apache POI 3.17 released

Allison, Timothy B.
David,
  Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper work.  Single CVE or multiple?

      Best,

             Tim

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: Monday, September 18, 2017 12:40 PM
To: [hidden email]
Subject: Re: [ANNOUNCE] Apache POI 3.17 released

On 2017-09-16 18:06, Andreas Beeker <[hidden email]> wrote:
> The Apache POI project is pleased to announce the release of POI 3.17.
> Featured are a handful of new areas of functionality, and numerous bug fixes.
> Changes
> ------------
> The most notable changes in this release are:
>
> - Various modules: add sanity checks and fix infinite loops / OOMs
> caused by fuzzed data

I've looked through the specific changes and several appear to be vulnerabilities (e.g. 61294 and 61300 among others).  Is the POI project planning to get CVEs for these issues?  If not, I'm happy to get them myself.  It makes the world a better place :-)


Thanks,

David

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [ANNOUNCE] Apache POI 3.17 released

Allison, Timothy B.
Resending with proper cc.  Thank you, Nick!

-----Original Message-----
From: Allison, Timothy B.
Sent: Tuesday, September 19, 2017 7:57 AM
To: [hidden email]
Subject: RE: [ANNOUNCE] Apache POI 3.17 released

David,
  Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper work.  Single CVE or multiple?

      Best,

             Tim

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: Monday, September 18, 2017 12:40 PM
To: [hidden email]
Subject: Re: [ANNOUNCE] Apache POI 3.17 released

On 2017-09-16 18:06, Andreas Beeker <[hidden email]> wrote:
> The Apache POI project is pleased to announce the release of POI 3.17.
> Featured are a handful of new areas of functionality, and numerous bug fixes.
> Changes
> ------------
> The most notable changes in this release are:
>
> - Various modules: add sanity checks and fix infinite loops / OOMs
> caused by fuzzed data

I've looked through the specific changes and several appear to be vulnerabilities (e.g. 61294 and 61300 among others).  Is the POI project planning to get CVEs for these issues?  If not, I'm happy to get them myself.  It makes the world a better place :-)


Thanks,

David

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [ANNOUNCE] Apache POI 3.17 released

Javen O'Neal-2
+1, two CVE's.

On Sep 19, 2017 05:00, "Allison, Timothy B." <[hidden email]> wrote:

> Resending with proper cc.  Thank you, Nick!
>
> -----Original Message-----
> From: Allison, Timothy B.
> Sent: Tuesday, September 19, 2017 7:57 AM
> To: [hidden email]
> Subject: RE: [ANNOUNCE] Apache POI 3.17 released
>
> David,
>   Thank you for raising this issue.  If fellow devs are +1, I can fill out
> the paper work.  Single CVE or multiple?
>
>       Best,
>
>              Tim
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]
> Sent: Monday, September 18, 2017 12:40 PM
> To: [hidden email]
> Subject: Re: [ANNOUNCE] Apache POI 3.17 released
>
> On 2017-09-16 18:06, Andreas Beeker <[hidden email]> wrote:
> > The Apache POI project is pleased to announce the release of POI 3.17.
> > Featured are a handful of new areas of functionality, and numerous bug
> fixes.
> > Changes
> > ------------
> > The most notable changes in this release are:
> >
> > - Various modules: add sanity checks and fix infinite loops / OOMs
> > caused by fuzzed data
>
> I've looked through the specific changes and several appear to be
> vulnerabilities (e.g. 61294 and 61300 among others).  Is the POI project
> planning to get CVEs for these issues?  If not, I'm happy to get them
> myself.  It makes the world a better place :-)
>
>
> Thanks,
>
> David
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email] For additional
> commands, e-mail: [hidden email]
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: RE: [ANNOUNCE] Apache POI 3.17 released

davidedillard@gmail.com
In reply to this post by Allison, Timothy B.
On 2017-09-19 07:56, "Allison, Timothy B." <[hidden email]> wrote:
> David,
>   Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper work.  Single CVE or multiple?
>

My suggestion would be one CVE for each issue.  That way if a consuming project isn't affected by a particular vulnerability (e.g. the vulnerabilities affect a file type that the consumer doesn't use) they can avoid upgrading right away.

I believe the following are all vulnerabilities listed in the change log as being fixed since 3.16:

- 61338, "Avoid infinite loop in corrupt wmf"
- 61295, "Vector.read -- Java heap space on corrupt file"
- 61300, "Very slow processing on corrupted file"
- 61286, "can not deal with WriteProtectRecord element"
- 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of length 0"
- 61294, "IOUtils.skipFully can run into infinite loop"
- 61059, "Fix incorrect use of short when unsigned short was required in NamePtg"
- pull 53, "Adding Null Pointer check"
- 52372, "OutOfMemoryError parsing a word file"

The good news is that all of these are denial of service vulnerabilities, which aren't too serious.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: RE: [ANNOUNCE] Apache POI 3.17 released

pj.fanning
Would it be possible to consider moving the H??F code to a separate jar? That
is, having the shared code in poi.jar but the X??F impls in poi-ooxml.jar
and the H??F impls in poi-legacy.jar (or some better name).
I would assume that a lot of the CVEs would relate to H??F code.
In my team, we only use the XSSF code and our Security team disapprove of us
using jar versions with any CVEs listed for them. poi-ooxml.jar depends on
poi.jar and any H??F related CVEs would affect the poi.jar as things stand.



--
Sent from: http://apache-poi.1045710.n5.nabble.com/POI-User-f2280730.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: RE: [ANNOUNCE] Apache POI 3.17 released

Javen O'Neal-2
Any other opinions on if and how many CVEs we need to request? We need
to.get back to the requestor.

On Sep 20, 2017 1:38 PM, "pj.fanning" <[hidden email]> wrote:

> Would it be possible to consider moving the H??F code to a separate jar?
> That
> is, having the shared code in poi.jar but the X??F impls in poi-ooxml.jar
> and the H??F impls in poi-legacy.jar (or some better name).
> I would assume that a lot of the CVEs would relate to H??F code.
> In my team, we only use the XSSF code and our Security team disapprove of
> us
> using jar versions with any CVEs listed for them. poi-ooxml.jar depends on
> poi.jar and any H??F related CVEs would affect the poi.jar as things stand.
>
>
>
> --
> Sent from: http://apache-poi.1045710.n5.nabble.com/POI-User-f2280730.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

RE: RE: [ANNOUNCE] Apache POI 3.17 released

Allison, Timothy B.
Thank you for the ping.  I'll respond now, and we can discuss from there.

-----Original Message-----
From: Javen O'Neal [mailto:[hidden email]]
Sent: Wednesday, September 27, 2017 11:39 AM
To: POI Users List <[hidden email]>
Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released

Any other opinions on if and how many CVEs we need to request? We need to.get back to the requestor.

On Sep 20, 2017 1:38 PM, "pj.fanning" <[hidden email]> wrote:

> Would it be possible to consider moving the H??F code to a separate jar?
> That
> is, having the shared code in poi.jar but the X??F impls in
> poi-ooxml.jar and the H??F impls in poi-legacy.jar (or some better name).
> I would assume that a lot of the CVEs would relate to H??F code.
> In my team, we only use the XSSF code and our Security team disapprove
> of us using jar versions with any CVEs listed for them. poi-ooxml.jar
> depends on poi.jar and any H??F related CVEs would affect the poi.jar
> as things stand.
>
>
>
> --
> Sent from:
> http://apache-poi.1045710.n5.nabble.com/POI-User-f2280730.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email] For additional
> commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: RE: [ANNOUNCE] Apache POI 3.17 released

Allison, Timothy B.
In reply to this post by davidedillard@gmail.com
I'm sorry for taking so long to get back to you.  After discussing with fellow devs, we'd prefer not to open a separate CVE for each item.  In looking at the items you helpfully gathered, we can categorize by type of problem and file formats affected.  I don't think we need to open a CVE for NPE or other parse exceptions (61286, 61287, 61059, pull53).  For the others, we could open a single CVE based on the poi-release (hey, these are now fixed in version 3.17) or we might open two -- one for permanent hangs, one for OOM?  My preference would be one CVE based on POI release.  

A full description in that one CVE will allow users to determine if 3.17 would protect them based on file type -- your main goal, right?

To fellow Devs and David, how does this sound?

DETAILS:

This is my understanding, please let me know if I've missed any or misunderstood the impacts.

61338 permanent hang : WMF
61295 OOM :doc, ppt, xls
61294 permanent hang : macros, wmf, emf, msg
52372 OOM: doc, ppt, xls

61286, 61287, 61059, pull 53 -- not an OOM or permahang

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: Tuesday, September 19, 2017 2:44 PM
To: [hidden email]
Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released

On 2017-09-19 07:56, "Allison, Timothy B." <[hidden email]> wrote:
> David,
>   Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper work.  Single CVE or multiple?
>

My suggestion would be one CVE for each issue.  That way if a consuming project isn't affected by a particular vulnerability (e.g. the vulnerabilities affect a file type that the consumer doesn't use) they can avoid upgrading right away.

I believe the following are all vulnerabilities listed in the change log as being fixed since 3.16:

- 61338, "Avoid infinite loop in corrupt wmf"
- 61295, "Vector.read -- Java heap space on corrupt file"
- 61300, "Very slow processing on corrupted file"
- 61286, "can not deal with WriteProtectRecord element"
- 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of length 0"
- 61294, "IOUtils.skipFully can run into infinite loop"
- 61059, "Fix incorrect use of short when unsigned short was required in NamePtg"
- pull 53, "Adding Null Pointer check"
- 52372, "OutOfMemoryError parsing a word file"

The good news is that all of these are denial of service vulnerabilities, which aren't too serious.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]