[
https://issues.apache.org/jira/browse/TIKA-4199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17818853#comment-17818853
]
Tim Allison commented on TIKA-4199:
-----------------------------------
As I look at the IWorkPackageParser and the detectType(), I think we should
rework the mark/reset there. There's currently no hard limit on the number of
bytes read when trying to extract the root element. So, it is entirely possible
that more than the mark() value is read. I think we happened to get lucky
earlier, and we're relying on the same luck by doubling the mark value.
> commons-compress 1.26.0 breaks Apache Tika 2.9.1
> ------------------------------------------------
>
> Key: TIKA-4199
> URL: https://issues.apache.org/jira/browse/TIKA-4199
> Project: Tika
> Issue Type: Bug
> Components: parser
> Affects Versions: 2.9.1
> Reporter: Alexander Veit
> Priority: Major
>
> An update to commons-compress 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308
> breaks Tika.
>
> For more information see https://issues.apache.org/jira/browse/COMPRESS-661.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
