[
https://issues.apache.org/jira/browse/COMPRESS-661?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Veit updated COMPRESS-661:
------------------------------------
Description:
Apache Commons Compress 1.26.0 fixes
* https://www.cve.org/CVERecord?id=CVE-2024-25710 and
* https://www.cve.org/CVERecord?id=CVE-2024-26308.
We have tried to replace Apache Commons Compress 1.25.0 with 1.26.0 in our
deployments in order to fix these security vulnerabilities. But unfortunately
now Apache Tika is broken:
{noformat}
org.apache.tika.exception.TikaException: TIKA-198: Illegal IOException from
org.apache.tika.parser.iwork.IWorkPackageParser@41fcb910
at
app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:304)
at
app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
at
app//org.apache.tika.parser.AutoDetectParser.parse(AutoDetectParser.java:203)
at app//org.apache.tika.Tika.parseToString(Tika.java:525)
at app//org.apache.tika.Tika.parseToString(Tika.java:495)
at ...
Caused by: java.io.IOException: Resetting to invalid mark
at java.base/java.io.BufferedInputStream.reset(BufferedInputStream.java:446)
at
org.apache.tika.parser.iwork.IWorkPackageParser.parse(IWorkPackageParser.java:97)
at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
... 42 more
{noformat}
was:
Apache Commons Compress 1.26.0 fixes
* https://www.cve.org/CVERecord?id=CVE-2024-25710 and
* https://www.cve.org/CVERecord?id=CVE-2024-26308.
We have tried to replace Apache Commons Compress 1.25.0 with 1.26.0 in our
deployments in order to fix these security vulnerabilities. But unfortunately
now Apache Tika is broken:
{code:text}
org.apache.tika.exception.TikaException: TIKA-198: Illegal IOException from
org.apache.tika.parser.iwork.IWorkPackageParser@41fcb910
at
app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:304)
at
app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
at
app//org.apache.tika.parser.AutoDetectParser.parse(AutoDetectParser.java:203)
at app//org.apache.tika.Tika.parseToString(Tika.java:525)
at app//org.apache.tika.Tika.parseToString(Tika.java:495)
at ...
Caused by: java.io.IOException: Resetting to invalid mark
at java.base/java.io.BufferedInputStream.reset(BufferedInputStream.java:446)
at
org.apache.tika.parser.iwork.IWorkPackageParser.parse(IWorkPackageParser.java:97)
at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
... 42 more
{code}
> commons-compress 1.26.0 breaks Apache Tika 2.9.1
> ------------------------------------------------
>
> Key: COMPRESS-661
> URL: https://issues.apache.org/jira/browse/COMPRESS-661
> Project: Commons Compress
> Issue Type: Bug
> Components: Compressors
> Affects Versions: 1.26.0
> Reporter: Alexander Veit
> Priority: Critical
>
> Apache Commons Compress 1.26.0 fixes
> * https://www.cve.org/CVERecord?id=CVE-2024-25710 and
> * https://www.cve.org/CVERecord?id=CVE-2024-26308.
> We have tried to replace Apache Commons Compress 1.25.0 with 1.26.0 in our
> deployments in order to fix these security vulnerabilities. But unfortunately
> now Apache Tika is broken:
> {noformat}
> org.apache.tika.exception.TikaException: TIKA-198: Illegal IOException from
> org.apache.tika.parser.iwork.IWorkPackageParser@41fcb910
> at
> app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:304)
> at
> app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
> at
> app//org.apache.tika.parser.AutoDetectParser.parse(AutoDetectParser.java:203)
> at app//org.apache.tika.Tika.parseToString(Tika.java:525)
> at app//org.apache.tika.Tika.parseToString(Tika.java:495)
> at ...
> Caused by: java.io.IOException: Resetting to invalid mark
> at
> java.base/java.io.BufferedInputStream.reset(BufferedInputStream.java:446)
> at
> org.apache.tika.parser.iwork.IWorkPackageParser.parse(IWorkPackageParser.java:97)
> at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
> ... 42 more
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
