[CVE-2016-5000] XML External Entity (XXE) Vulnerability in Apache POI's XLSX2CSV Example

[Tim Allison]

CVE-2016-5000: XML External Entity (XXE) Vulnerability in Apache POI's XLSX2CSV 
Example 

Severity: Important 

Vendor: The Apache Software Foundation 

Versions Affected: POI 3.5-3.13 

Description: 

Apache POI's XLSX2CSV example uses Java's XML components to parse OpenXML 
files. Applications and users that use XLSX2CSV and accept such files from 
end-users are vulnerable to XML External Entity (XXE) attacks, which allow 
remote attackers to bypass security restrictions and read arbitrary files via a 
crafted OpenXML document that provides an XML external entity declaration in 
conjunction with an entity reference.

Mitigation: Upgrade to 3.14 or higher 


Credit: This issue was discovered by Mauro Gentile of Minded Security.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 59738] Excel Files generated using XSSFWorkbook can't be opened using Ms-Excel or OpenOffice

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=59738

--- Comment #10 from Dominik Stadler  ---
Created attachment 34061
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=34061=edit
Difference that causes Excel to report the file as "broken"

It seems with Xalan you get some different XML parser as well and this way the
namespace handling is broken, see the attached image.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

Re: 3.15 beta 3 soon?

[Dominik Stadler]

Hi,

The first one is fixed, at least in a way that allows to do a release, see
https://bz.apache.org/bugzilla/show_bug.cgi?id=59739

The second one should be fixed via r1746858 or r1750034

I will do a re-run of the regression tests as soon as we start
release-preparations. This will show if both issues are fixed for good as I
usually compare against the last GA release, i.e. 3.14 currently.

Dominik.

On Fri, Jul 22, 2016 at 3:36 AM, Javen O'Neal  wrote:

> Have we taken care of these issues preventing Tika from using POI 3.15 beta
> 2...
>
> http://apache-poi.1045710.n5.nabble.com/VOTE-Apache-POI-3-15-beta2-release-RC1-tp5723676p5723705.html
>
> and "we have finished discussing how it should be done in the long run."
>
> http://apache-poi.1045710.n5.nabble.com/VOTE-Apache-POI-3-15-beta2-release-RC1-tp5723676p5723705.html
>
> If not, we can always punt to 3.15 beta 4/final.
>
> On Jul 21, 2016 4:28 PM, "Nick Burch"  wrote:
>
> > On Fri, 22 Jul 2016, Andreas Beeker wrote:
> >
> >> When are your current tasks completed (e.g. in-place-writing...)?
> >>
> >
> > In-place write + write-to-File is now done for HSSF + HSLF + HPSF. That's
> > probably enough for now. Once we've got some feedback, we can add it to
> > HWPF, then decide how to do the same for X??F without breaking too much
> > backwards compatibility + solving that "close may change things"
> unexpected
> > issue
> >
> > Who will roll the release? As usual, I'll be the fallback (as long as my
> >> key is valid ...)
> >>
> >
> > Anyone else want to give the docs a try? :)
> >
> > Nick
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
> > For additional commands, e-mail: dev-h...@poi.apache.org
> >
> >
>

[Bug 59793] "Rule M2.4 exception : this error should NEVER happen!" error message is still being triggered even with POI v3.14

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=59793

Dominik Stadler  changed:

   What|Removed |Added

 Status|NEEDINFO|RESOLVED
 Resolution|--- |WORKSFORME

--- Comment #5 from Dominik Stadler  ---
Please reopen this bug if you can provide some more information here, currently
there is not much we can do without the actual file that triggers this.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org