
Not the maintainer either, just joining the fun to see if I can help get
stuff to move; my main motivation behind this is trying to get the
puppetdb → pantomime-clojure → tika dependency chain in a suitable state
for buster (other *-clojure packages need fixing, but FTBFSes have
patches/MRs now, and uploads should be happening soon enough; but
there's still comidi-clojure's #889125 to keep me busy anyway…)

Salvatore Bonaccorso <car...@debian.org> (2018-01-18):
> The issue is claimed to be fixed in upstream 1.13 (and as Moritz
> pointed out a test was added. Comparing commits between 1.12 and 1.13
> I was unable to isolate the relevant commit(s), but there are some
> touching the code for "OOXML files and XMP in PDF and other file
> formats".

Right, I haven't been able to pinpoint the exact changes, but those
could be “hidden” in things like pdfbox version bumps, etc. Even if a
specific fix for 1.5 would be identified, it seems hard to get it to
build; I've tried that just to see what was feasible, and it doesn't
look good anyway:


Not being a Java expert, I've then moved to giving the latest upstream
release (1.20) a shot, but there were too many red things, so I've tried
to aim at 1.13 “only”, to get this CVE addressed.

My WIP is available there:

Downloaded and imported 1.13 with uscan, then failed to apply patches,
(almost) all of which I've disabled. I've number mine 90+ for easy

First failure was missing version for junit dependencies:
| [ERROR] [ERROR] Some problems were encountered while processing the POMs:
| […]
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-serialization:1.13 
(/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-serialization/pom.xml) has 1 
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. 
@ org.apache.tika:tika-serialization:[unknown-version], 
/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-serialization/pom.xml, line 
59, column 17
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-batch:1.13 
(/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-batch/pom.xml) has 1 error
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. 
@ org.apache.tika:tika-batch:[unknown-version], 
/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-batch/pom.xml, line 85, 
column 17
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-translate:1.13 
(/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-translate/pom.xml) has 1 
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. 
@ org.apache.tika:tika-translate:[unknown-version], 
/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-translate/pom.xml, line 66, 
column 17
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-langdetect:1.13 
(/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-langdetect/pom.xml) has 1 
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. 
@ org.apache.tika:tika-langdetect:[unknown-version], 
/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-langdetect/pom.xml, line 64, 
column 17
| [ERROR]   
| [ERROR]   The project org.apache.tika:tika-example:1.13 
(/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-example/pom.xml) has 1 error
| [ERROR]     'dependencies.dependency.version' for junit:junit:jar is missing. 
@ org.apache.tika:tika-example:[unknown-version], 
/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-example/pom.xml, line 114, 
column 17

Hence debian/patches/90-add-junit-version.patch

Next failure:
| [ERROR] Error resolving version for plugin 
'org.apache.maven.plugins:maven-javadoc-plugin' from the repositories [local 
(/home/kibi/hack/bsp/puppetdb-builds/tika.git/debian/maven-repo), central 
(https://repo.maven.apache.org/maven2)]: Plugin not found in any plugin 
repository -> [Help 1]

so I've added libmaven-javadoc-plugin-java to B-D-I.

Next failure, an unknown package:
| [INFO] Reactor Summary for Apache Tika 1.13:
| [INFO] 
| [INFO] Apache Tika parent ................................. FAILURE [  0.011 
| [INFO] Apache Tika core ................................... SKIPPED
| [INFO] Apache Tika parsers ................................ SKIPPED
| [INFO] Apache Tika XMP .................................... SKIPPED
| [INFO] Apache Tika serialization .......................... SKIPPED
| [INFO] Apache Tika batch .................................. SKIPPED
| [INFO] Apache Tika language detection ..................... SKIPPED
| [INFO] Apache Tika translate .............................. SKIPPED
| [INFO] Apache Tika examples ............................... SKIPPED
| [INFO] Apache Tika Java-7 Components ...................... SKIPPED
| [INFO] Apache Tika ........................................ SKIPPED
| [INFO] 
| [INFO] 
| [INFO] Total time:  1.033 s
| [INFO] Finished at: 2018-12-30T23:56:45Z
| [INFO] 
| [ERROR] Plugin de.thetaphi:forbiddenapis:2.0 or one of its dependencies could 
not be resolved: Cannot access central (https://repo.maven.apache.org/maven2) 
in offline mode and the artifact de.thetaphi:forbiddenapis:jar:2.0 has not been 
downloaded from it before. -> [Help 1]

so I've patched it out, esp. given we have these comments:
|       <!-- The Tika Bundle has no java code of its own, so no need to do -->
|       <!--  any forbidden API checking against it (it gets confused...) -->

and it's marked skip=true, which made it like optional enough…

Hence debian/patches/91-drop-forbiddenapis-dependency.patch

Next issue:
| [INFO] Reactor Summary for Apache Tika 1.13:
| [INFO] 
| [INFO] Apache Tika parent ................................. SUCCESS [  0.004 
| [INFO] Apache Tika core ................................... SUCCESS [  4.768 
| [INFO] Apache Tika parsers ................................ FAILURE [  0.007 
| [INFO] Apache Tika XMP .................................... SKIPPED
| [INFO] Apache Tika serialization .......................... SKIPPED
| [INFO] Apache Tika batch .................................. SKIPPED
| [INFO] Apache Tika language detection ..................... SKIPPED
| [INFO] Apache Tika translate .............................. SKIPPED
| [INFO] Apache Tika examples ............................... SKIPPED
| [INFO] Apache Tika Java-7 Components ...................... SKIPPED
| [INFO] Apache Tika ........................................ SKIPPED
| [INFO] 
| [INFO] 
| [INFO] Total time:  5.829 s
| [INFO] Finished at: 2018-12-31T00:01:51Z
| [INFO] 
| [ERROR] Error resolving version for plugin 
'org.codehaus.gmaven:groovy-maven-plugin' from the repositories [local 
(/home/kibi/hack/bsp/puppetdb-builds/tika.git/debian/maven-repo), central 
(https://repo.maven.apache.org/maven2)]: Plugin not found in any plugin 
repository -> [Help 1]

so I've patched it out, as it appears in a profile with the “testSetup”
id, which I thought might not be entirely needed.

Hence debian/patches/92-drop-groovy-maven-plugin-dependency.patch

Next issue:
| [INFO] Reactor Summary for Apache Tika 1.13:
| [INFO] 
| [INFO] Apache Tika parent ................................. SUCCESS [  0.002 
| [INFO] Apache Tika core ................................... SUCCESS [  4.163 
| [INFO] Apache Tika parsers ................................ FAILURE [  0.127 
| [INFO] Apache Tika XMP .................................... SKIPPED
| [INFO] Apache Tika serialization .......................... SKIPPED
| [INFO] Apache Tika batch .................................. SKIPPED
| [INFO] Apache Tika language detection ..................... SKIPPED
| [INFO] Apache Tika translate .............................. SKIPPED
| [INFO] Apache Tika examples ............................... SKIPPED
| [INFO] Apache Tika Java-7 Components ...................... SKIPPED
| [INFO] Apache Tika ........................................ SKIPPED
| [INFO] 
| [INFO] 
| [INFO] Total time:  5.366 s
| [INFO] Finished at: 2018-12-31T00:06:02Z
| [INFO] 
| [ERROR] Failed to execute goal on project tika-parsers: Could not resolve 
dependencies for project org.apache.tika:tika-parsers:jar:1.13: The following 
artifacts could not be resolved: org.apache.tika:tika-core:jar:tests:debian, 
org.apache.pdfbox:pdfbox-tools:jar:debian, com.rometools:rome:jar:debian, 
org.codelibs:jhighlight:jar:debian, com.pff:java-libpst:jar:debian, 
org.apache.cxf:cxf-rt-rs-client:jar:debian, org.xerial:sqlite-jdbc:jar:debian, 
com.googlecode.json-simple:json-simple:jar:debian, org.json:json:jar:debian, 
edu.ucar:netcdf4:jar:debian, edu.ucar:grib:jar:debian, edu.ucar:cdm:jar:debian, 
edu.ucar:httpservices:jar:debian, org.apache.commons:commons-csv:jar:debian, 
org.apache.sis.core:sis-metadata:jar:debian, org.opengis:geoapi:jar:debian, 
com.fasterxml.jackson.core:jackson-core:jar:debian: Cannot access central 
(https://repo.maven.apache.org/maven2) in offline mode and the artifact 
org.apache.tika:tika-core:jar:tests:debian has not been downloaded from it 
before. -> [Help 1]

As I've seen other patches marking similar dependencies as optional in
tika-parsers/pom.xml, I've tried to mimick that; unfortunately without
any changes in the output.

Anyway, this is debian/patches/93-mark-parsers-dependencies-as-optional.patch

Some advice on where to go from here would be welcome: does it make
sense to try and get the right hammer to get 1.13 in a buildable state?
Should one try to package 1.20 instead anyway? Please note I haven't even
checked yet what version could work for pantomime-clojure.

(I've cc'ed the Puppet Package Maintainers on this mail for wider reach.)

Cyril Brulebois (k...@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply via email to