Bug 6011

Summary: poi new security issue CVE-2012-0213
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, dmorganec, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/496767/
Whiteboard:
Source RPM: apache-poi-3.8-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-05-21 19:21:22 CEST 
Advisories have been issued by Debian and Fedora:
http://www.debian.org/security/2012/dsa-2468 (May 9)
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080633.html (May 11)

It appears there is an obsolete older version of this software in a package called jakarta-poi which should be removed.  This package also exists in Mageia 1.

There are also a couple of other obsolete packages with jakarta-* names that look like they should have been obsoleted by the apache-* ones, commons-fileupload and commons-logging.
David Walser 2012-05-21 19:21:30 CEST

CC: (none) => dmorganec

Comment 1 Marja Van Waes 2012-05-26 13:09:31 CEST 
Hi,

This bug was filed against cauldron, but we do not have cauldron at the moment.

Please report whether this bug is still valid for Mageia 2.

Thanks :)

Cheers,
marja

Keywords: (none) => NEEDINFO

David Walser 2012-06-13 23:48:24 CEST

Keywords: NEEDINFO => (none)
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 2 D Morgan 2012-07-04 08:09:33 CEST 
we can't remove jakarta-* we need to port apps to use it first ( different API ).
But this is on my TODO.

Update is ready on svn, will be pushed as soon as tests are fixed.
Comment 3 David Walser 2012-07-04 14:59:53 CEST 
OK.  If we can't obsolete the jakarta ones for now, jakarta-poi will need an update as well then I presume.
Comment 4 David Walser 2012-07-04 15:06:06 CEST 
Built so far:
apache-poi-3.8-1.1.mga2.noarch.rpm
apache-poi-javadoc-3.8-1.1.mga2.noarch.rpm
apache-poi-manual-3.8-1.1.mga2.noarch.rpm
from apache-poi-3.8-1.1.mga2.src.rpm

Still pending:
Updated apache-poi for Mageia 1
Updates for jakarta-poi if it is also affected by this issue
Comment 5 David Walser 2012-12-04 00:23:11 CET 
D Morgan, is jakarta-poi affected by this?

Assignee: bugsquad => dmorganec

Comment 6 D Morgan 2013-02-08 00:12:05 CET 
pushed on the BS
Comment 7 David Walser 2013-02-08 00:28:24 CET 
Mageia 1 is EOL, so removing that from the whiteboard.

D Morgan is investigating if we need to keep jakarta-poi in Cauldron.

D Morgan patched jakarta-poi in Mageia 2.

I'll assign to QA once jakarta-poi is resolved in Cauldron.

Built for this update:
apache-poi-3.8-1.1.mga2
apache-poi-javadoc-3.8-1.1.mga2
apache-poi-manual-3.8-1.1.mga2
jakarta-poi-3.1-0.0.4.1.mga2
jakarta-poi-javadoc-3.1-0.0.4.1.mga2
jakarta-poi-manual-3.1-0.0.4.1.mga2

from SRPMS:
apache-poi-3.8-1.1.mga2.src.rpm
jakarta-poi-3.1-0.0.4.1.mga2.src.rpm

Whiteboard: MGA2TOO, MGA1TOO => MGA2TOO

Comment 8 David Walser 2013-02-08 01:07:22 CET 
jakarta-poi removed from Cauldron.

Assigning to QA.  As with the other Java package updates from last year, testing that they install fine should be sufficient.

Advisory:
========================

Updated apache-poi and jakarta-poi packages fix security vulnerability:

It was discovered that Apache POI, a Java implementation of the Microsoft
Office file formats, would allocate arbitrary amounts of memory when
processing crafted documents. This could impact the stability of the Java
virtual machine (CVE-2012-0213).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0213
http://www.debian.org/security/2012/dsa-2468
========================

Updated packages in core/updates_testing:
========================
apache-poi-3.8-1.1.mga2
apache-poi-javadoc-3.8-1.1.mga2
apache-poi-manual-3.8-1.1.mga2
jakarta-poi-3.1-0.0.4.1.mga2
jakarta-poi-javadoc-3.1-0.0.4.1.mga2
jakarta-poi-manual-3.1-0.0.4.1.mga2

from SRPMS:
apache-poi-3.8-1.1.mga2.src.rpm
jakarta-poi-3.1-0.0.4.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: dmorganec => qa-bugs
Whiteboard: MGA2TOO => (none)

David Walser 2013-02-08 01:08:15 CET

Severity: normal => major

Comment 9 Dave Hodgins 2013-02-08 03:35:27 CET 
No poc, so just testing that jackrabbit works with the updates.

CC: (none) => davidwhodgins

Comment 10 Dave Hodgins 2013-02-08 05:23:25 CET 
Gave up trying to figure out jackrabbit, so now I'm just trying to
test apache-poi directly. From 
https://poi.apache.org/spreadsheet/examples.html I ran
wget http://svn.apache.org/repos/asf/poi/trunk/src/examples/src/org/apache/poi/ss/examples/BusinessPlan.java
javac BusinessPlan.java
java BusinessPlan -xls
and it fails with ...
Exception in thread "main" java.lang.NoClassDefFoundError: BusinessPlan (wrong name: org/apache/poi/ss/examples/BusinessPlan)
        at java.lang.ClassLoader.defineClass1(Native Method)
        at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
        at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
        at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:480)

Suggestions?

Whiteboard: (none) => feedback

Comment 11 David Walser 2013-02-08 06:18:12 CET 
Is that a regression?
Comment 12 claire robinson 2013-02-09 11:37:20 CET 
I get 65 errors with javac BusinessPlan.java and 72 errors with javac CalendarDemo.java and they don't create executables.

It is not a regression though. Not entirely sure we're using it properly.

WDYT?
Comment 13 David Walser 2013-02-09 11:51:18 CET 
This Java stuff is tricky.  If it's not a regression, let's push this.

This might help though, this:
Exception in thread "main" java.lang.NoClassDefFoundError: BusinessPlan (wrong
name: org/apache/poi/ss/examples/BusinessPlan)

is because of this at the top of the java file:
package org.apache.poi.ss.examples;

what it means is, it expect the file not to be named BusinessPlan.java in the current working directory, but rather:
org/apache/poi/ss/examples/BusinessPlan/BusinessPlan.java
Comment 14 claire robinson 2013-02-09 12:00:09 CET 
Commented that line and it still gives errors with javac for me. No PoC so I think we'll just have to validate on the basis that the update installs ok, as you suggested.

Validating

Advisory & srpms in comment 8

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: feedback => (none)

Comment 15 Thomas Backlund 2013-02-09 13:58:55 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0044

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED