Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2
    • Component/s: parser
    • Labels:

      Description

      There's a denial of service vulnerability (CVE-2012-2098) in Commons Compress versions up to 1.4 (we currently use 1.3) that can be triggered with a specially crafted bzip2 document.

      Tika already has higher-level features (ForkParser, etc.) for dealing with problems like this, but it would in any case be good to upgrade our Commons Compress dependency to the new 1.4.1 release that fixes the vulnerability.

        Activity

        Hide
        bodewig Stefan Bodewig added a comment -

        While I think Tika would benefit from upgrading anyway (POSIX tar support in 1.4) I don't think the security issue is relevant to you as it only occurs when writing bzip2 streams, not when reading them.

        Show
        bodewig Stefan Bodewig added a comment - While I think Tika would benefit from upgrading anyway (POSIX tar support in 1.4) I don't think the security issue is relevant to you as it only occurs when writing bzip2 streams, not when reading them.
        Hide
        jukkaz Jukka Zitting added a comment -

        Indeed, good point! As you say, upgrading to 1.4(.1) would in any case be a good idea, so I'll go forward with this.

        Show
        jukkaz Jukka Zitting added a comment - Indeed, good point! As you say, upgrading to 1.4(.1) would in any case be a good idea, so I'll go forward with this.
        Hide
        jukkaz Jukka Zitting added a comment -

        Done in revisions 1355521 and 1355562.

        In addition to simply upgrading the dependency I also modified the relevant parser and detector code to take advantage of some of the new features (autodetection, new supported formats, etc.) in Commons Compress 1.4.1.

        Show
        jukkaz Jukka Zitting added a comment - Done in revisions 1355521 and 1355562. In addition to simply upgrading the dependency I also modified the relevant parser and detector code to take advantage of some of the new features (autodetection, new supported formats, etc.) in Commons Compress 1.4.1.
        Hide
        laubrino Lau Brino added a comment -

        Hi, see page http://tika.apache.org/1.2/gettingstarted.html - there's still 1.3 version mentioned...

        Show
        laubrino Lau Brino added a comment - Hi, see page http://tika.apache.org/1.2/gettingstarted.html - there's still 1.3 version mentioned...

          People

          • Assignee:
            jukkaz Jukka Zitting
            Reporter:
            jukkaz Jukka Zitting
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development