Bug 14128 - apache-poi new security issues CVE-2014-3529 and CVE-2014-3574
Summary: apache-poi new security issues CVE-2014-3529 and CVE-2014-3574
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/612578/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-19 17:16 CEST by David Walser
Modified: 2014-12-26 18:05 CET (History)
3 users (show)

See Also:
Source RPM: apache-poi-3.9-2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-09-19 17:16:31 CEST 
Fedora has issued an advisory on September 9:
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137802.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-19 17:16:37 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Sander Lepik 2014-11-29 16:05:34 CET 
Dropped from cauldron.

Whiteboard: MGA4TOO, MGA3TOO => (none)
Version: Cauldron => 4
CC: (none) => mageia

Comment 2 David Walser 2014-12-24 22:43:34 CET 
Probably on its way back to Cauldron, but it has been re-synced with Fedora 21 in Cauldron SVN, updating it to 3.10.1 and fixing this.

Update synced with Fedora 20 checked into Mageia 4 SVN.
Comment 3 David Walser 2014-12-24 23:43:32 CET 
Updated package uploaded for Mageia 4.

Verifying that the updated packages install cleanly is sufficient for testing this update.

Advisory:
========================

Updated apache-poi packages fixes security vulnerability:

It was found that Apache POI would resolve entities in OOXML documents. A
remote attacker able to supply OOXML documents that are parsed by Apache POI
could use this flaw to read files accessible to the user running the
application server, and potentially perform other more advanced XXE attacks
(CVE-2014-3529).

It was found that Apache POI would expand an unlimited number of entities in
OOXML documents. A remote attacker able to supply OOXML documents that are
parsed by Apache POI could use this flaw to trigger a denial of service
attack via excessive CPU and memory consumption (CVE-2014-3574).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3574
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137802.html
========================

Updated package in core/updates_testing:
========================
apache-poi-3.10.1-1.mga4
apache-poi-javadoc-3.10.1-1.mga4
apache-poi-manual-3.10.1-1.mga4

from apache-poi-3.10.1-1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 4 Herman Viaene 2014-12-26 10:58:56 CET 
MGA4-64 on HP Probook 6555b KDE.
Found out that the apache-poi-3.10.1-1.mga4 was already installed (most probably from testing bug 13870 - resteasy), so the javadoc and manual were installed now. No issues.

Whiteboard: (none) => MGA4-64-OK
CC: (none) => herman.viaene

Comment 5 Herman Viaene 2014-12-26 11:03:55 CET 
MGA4-32 on Acer D620 Xfce.
Same remark as above, no installation issues.

Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK

Comment 6 claire robinson 2014-12-26 11:12:46 CET 
Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK

Comment 7 Mageia Robot 2014-12-26 18:05:48 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0550.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.