I'm sorry for taking so long to get back to you. After discussing with fellow devs, we'd prefer not to open a separate CVE for each item. In looking at the items you helpfully gathered, we can categorize by type of problem and file formats affected. I don't think we need to open a CVE for NPE or other parse exceptions (61286, 61287, 61059, pull53). For the others, we could open a single CVE based on the poi-release (hey, these are now fixed in version 3.17) or we might open two -- one for permanent hangs, one for OOM? My preference would be one CVE based on POI release.
A full description in that one CVE will allow users to determine if 3.17 would protect them based on file type -- your main goal, right? To fellow Devs and David, how does this sound? DETAILS: This is my understanding, please let me know if I've missed any or misunderstood the impacts. 61338 permanent hang : WMF 61295 OOM :doc, ppt, xls 61294 permanent hang : macros, wmf, emf, msg 52372 OOM: doc, ppt, xls 61286, 61287, 61059, pull 53 -- not an OOM or permahang -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, September 19, 2017 2:44 PM To: [email protected] Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released On 2017-09-19 07:56, "Allison, Timothy B." <[email protected]> wrote: > David, > Thank you for raising this issue. If fellow devs are +1, I can fill out > the paper work. Single CVE or multiple? > My suggestion would be one CVE for each issue. That way if a consuming project isn't affected by a particular vulnerability (e.g. the vulnerabilities affect a file type that the consumer doesn't use) they can avoid upgrading right away. I believe the following are all vulnerabilities listed in the change log as being fixed since 3.16: - 61338, "Avoid infinite loop in corrupt wmf" - 61295, "Vector.read -- Java heap space on corrupt file" - 61300, "Very slow processing on corrupted file" - 61286, "can not deal with WriteProtectRecord element" - 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of length 0" - 61294, "IOUtils.skipFully can run into infinite loop" - 61059, "Fix incorrect use of short when unsigned short was required in NamePtg" - pull 53, "Adding Null Pointer check" - 52372, "OutOfMemoryError parsing a word file" The good news is that all of these are denial of service vulnerabilities, which aren't too serious. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
