Y, I think that issue was raised during early regression tests, and it seemed to make sense.
The new readPictures exception was caused by: https://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java?r1=1911524&r2=1911525&; on August 7. I still can't explain why this didn't show up in the regression tests in late September. My only guess is that I didn't correctly swap out the tika-app jar version from the bin/ directory. :( I'm not sure if it is better to arbitrarily set the max override to a large value or revert the POI upgrade. On Sat, Oct 14, 2023 at 7:27 AM Tilman Hausherr <[email protected]> wrote: > Also many changes in excel files, e.g. ZDAC5OCEPVR6AHYY3BU3CZS7UX3F6J4Z, > "false: 107382" becomes "0: 107382" so I guess there has been a change > about how to interpret that value. Also "error" is now nothing. > > Tilman > > On 14.10.2023 13:16, Tim Allison wrote: > > Looks like we have a bunch of new > "org.apache.poi.util.RecordFormatException: Tried to allocate an array of > length 10,xxx,xxx, but the maximum length for this record type is > 10,000,000." triggered by: > org.apache.poi.hslf.usermodel.HSLFSlideShowImpl.readPictures ... I'm not > sure why the regression tests didn't pick this up. > > The changes in rfc822 detection have also had some effects. The few > handfuls that I've reviewed are actually positive changes. I'll review > systematically on Monday. > > On Sat, Oct 14, 2023 at 6:35 AM Tim Allison <[email protected]> wrote: > >> Reports are here: >> https://corpora.tika.apache.org/base/reports/tika-2.9.1-reports.tgz >> >> I haven't had a chance to look at them yet. :( Will take a look early >> Monday (ET). >> >> On Wed, Oct 11, 2023 at 10:24 AM Tim Allison <[email protected]> wrote: >> >>> Unless there are objections, I'll kick off the 2.9.1 regression tests >>> shortly. I just cherry-picked TIKA-4153 into 2.x...will be interesting to >>> see how that works. >>> >>> Best, >>> >>> Tim >>> >>> On Tue, Oct 10, 2023 at 1:37 PM Tim Allison <[email protected]> wrote: >>> >>>> All, >>>> Nandita's email didn't go through for some reason. >>>> Seems reasonable to kick off a 2.9.1 release cycle? What do you >>>> think? >>>> >>>> Best, >>>> >>>> Tim >>>> >>>> >>>> >>>> *From:* Nandita Mohan >>>> *Sent:* Monday, October 9, 2023 3:41 PM >>>> *To:* [email protected] >>>> *Subject:* Requesting Tika Server release: commons-compress >>>> vulnerability >>>> >>>> >>>> >>>> Hi there, >>>> >>>> >>>> >>>> I work on a service which needs to upgrade our images due to this >>>> vulnerability in Apache *commons-compress*: Apache Commons Compress >>>> denial of service vulnerability · CVE-2023-42503 · GitHub Advisory Database >>>> <https://github.com/advisories/GHSA-cgwf-w82q-5jrr> >>>> >>>> >>>> >>>> This is due to use of Tika Server 2.9.0 (Apache Tika – Apache Tika 1.27 >>>> <https://tika.apache.org/2.9.0/index.html>), which has >>>> commons-compress as a dependency. I saw that Tim Allison recently updated >>>> this* commons-compress* version in the Github mirror repo: TIKA-4123 >>>> -- general updates for 3.0.0-BETA -- upgrade commons-compress · >>>> apache/tika@3c88246 (github.com) >>>> <https://github.com/apache/tika/commit/3c882460838c818ab2aff310d1fba9a084fe4800> >>>> >>>> >>>> >>>> We would greatly appreciate if this could be released to tika-server >>>> package in the next week , so we can update our images soon from this >>>> vulnerability. >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Nandita Mohan >>>> >>> >
