Bug 15351

Summary: apache-poi new security issue CVE-2014-9527
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/634455/
Whiteboard: has_procedure advisory MGA4-32-OK mga4-64-ok
Source RPM: apache-poi-3.10.1-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-02-24 18:51:44 CET 
Fedora has issued an advisory on February 15:
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150228.html

Fedora changes and patch synced into Mageia 4 and Cauldron SVN.

Freeze push requested for Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-02-25 13:55:18 CET 
Patched packages uploaded for Mageia 4 and Cauldron.

Verifying that the updated packages install cleanly is sufficient for testing this update.

Advisory:
========================

Updated apache-poi packages fixes security vulnerability:

A denial of service flaw was found in the way the HSLFSlideShow class
implementation in Apache POI handled certain PPT files. A remote attacker
could submit a specially crafted PPT file that would cause Apache POI to hang
indefinitely (CVE-2014-9527).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9527
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150228.html
========================

Updated package in core/updates_testing:
========================
apache-poi-3.10.1-1.1.mga4
apache-poi-javadoc-3.10.1-1.1.mga4
apache-poi-manual-3.10.1-1.1.mga4

from apache-poi-3.10.1-1.1.mga4.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-02-25 15:26:12 CET 
Installs/upgrades fine on Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 claire robinson 2015-02-25 22:00:56 CET 
Testing complete mga4 64

Agree with the testing, it's a java package and this is usually about all we can do with them. I experimented with some examples but had no joy.



Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2015-02-25 22:06:23 CET 
Fortunately this particular package has a build-time testsuite, so we can have a little bit more confidence in it at least.
Comment 5 Mageia Robot 2015-02-26 09:27:33 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0087.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED