Mageia Bugzilla – Bug 6011
poi new security issue CVE-2012-0213
Last modified: 2013-02-09 13:58:55 CET
Advisories have been issued by Debian and Fedora:
http://www.debian.org/security/2012/dsa-2468 (May 9)
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080633.html (May 11)
It appears there is an obsolete older version of this software in a package called jakarta-poi which should be removed. This package also exists in Mageia 1.
There are also a couple of other obsolete packages with jakarta-* names that look like they should have been obsoleted by the apache-* ones, commons-fileupload and commons-logging.
This bug was filed against cauldron, but we do not have cauldron at the moment.
Please report whether this bug is still valid for Mageia 2.
we can't remove jakarta-* we need to port apps to use it first ( different API ).
But this is on my TODO.
Update is ready on svn, will be pushed as soon as tests are fixed.
OK. If we can't obsolete the jakarta ones for now, jakarta-poi will need an update as well then I presume.
Built so far:
Updated apache-poi for Mageia 1
Updates for jakarta-poi if it is also affected by this issue
D Morgan, is jakarta-poi affected by this?
pushed on the BS
Mageia 1 is EOL, so removing that from the whiteboard.
D Morgan is investigating if we need to keep jakarta-poi in Cauldron.
D Morgan patched jakarta-poi in Mageia 2.
I'll assign to QA once jakarta-poi is resolved in Cauldron.
Built for this update:
jakarta-poi removed from Cauldron.
Assigning to QA. As with the other Java package updates from last year, testing that they install fine should be sufficient.
Updated apache-poi and jakarta-poi packages fix security vulnerability:
It was discovered that Apache POI, a Java implementation of the Microsoft
Office file formats, would allocate arbitrary amounts of memory when
processing crafted documents. This could impact the stability of the Java
virtual machine (CVE-2012-0213).
Updated packages in core/updates_testing:
No poc, so just testing that jackrabbit works with the updates.
Gave up trying to figure out jackrabbit, so now I'm just trying to
test apache-poi directly. From
https://poi.apache.org/spreadsheet/examples.html I ran
java BusinessPlan -xls
and it fails with ...
Exception in thread "main" java.lang.NoClassDefFoundError: BusinessPlan (wrong name: org/apache/poi/ss/examples/BusinessPlan)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.security.AccessController.doPrivileged(Native Method)
Is that a regression?
I get 65 errors with javac BusinessPlan.java and 72 errors with javac CalendarDemo.java and they don't create executables.
It is not a regression though. Not entirely sure we're using it properly.
This Java stuff is tricky. If it's not a regression, let's push this.
This might help though, this:
Exception in thread "main" java.lang.NoClassDefFoundError: BusinessPlan (wrong
is because of this at the top of the java file:
what it means is, it expect the file not to be named BusinessPlan.java in the current working directory, but rather:
Commented that line and it still gives errors with javac for me. No PoC so I think we'll just have to validate on the basis that the update installs ok, as you suggested.
Advisory & srpms in comment 8
Could sysadmin please push from core/updates_testing to core/updates