Bug 6011 - poi new security issue CVE-2012-0213
: poi new security issue CVE-2012-0213
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/496767/
:
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-05-21 19:21 CEST by David Walser
Modified: 2013-02-09 13:58 CET (History)
4 users (show)

See Also:
Source RPM: apache-poi-3.8-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-05-21 19:21:22 CEST
Advisories have been issued by Debian and Fedora:
http://www.debian.org/security/2012/dsa-2468 (May 9)
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080633.html (May 11)

It appears there is an obsolete older version of this software in a package called jakarta-poi which should be removed.  This package also exists in Mageia 1.

There are also a couple of other obsolete packages with jakarta-* names that look like they should have been obsoleted by the apache-* ones, commons-fileupload and commons-logging.
Comment 1 Marja van Waes 2012-05-26 13:09:31 CEST
Hi,

This bug was filed against cauldron, but we do not have cauldron at the moment.

Please report whether this bug is still valid for Mageia 2.

Thanks :)

Cheers,
marja
Comment 2 D Morgan 2012-07-04 08:09:33 CEST
we can't remove jakarta-* we need to port apps to use it first ( different API ).
But this is on my TODO.

Update is ready on svn, will be pushed as soon as tests are fixed.
Comment 3 David Walser 2012-07-04 14:59:53 CEST
OK.  If we can't obsolete the jakarta ones for now, jakarta-poi will need an update as well then I presume.
Comment 4 David Walser 2012-07-04 15:06:06 CEST
Built so far:
apache-poi-3.8-1.1.mga2.noarch.rpm
apache-poi-javadoc-3.8-1.1.mga2.noarch.rpm
apache-poi-manual-3.8-1.1.mga2.noarch.rpm
from apache-poi-3.8-1.1.mga2.src.rpm

Still pending:
Updated apache-poi for Mageia 1
Updates for jakarta-poi if it is also affected by this issue
Comment 5 David Walser 2012-12-04 00:23:11 CET
D Morgan, is jakarta-poi affected by this?
Comment 6 D Morgan 2013-02-08 00:12:05 CET
pushed on the BS
Comment 7 David Walser 2013-02-08 00:28:24 CET
Mageia 1 is EOL, so removing that from the whiteboard.

D Morgan is investigating if we need to keep jakarta-poi in Cauldron.

D Morgan patched jakarta-poi in Mageia 2.

I'll assign to QA once jakarta-poi is resolved in Cauldron.

Built for this update:
apache-poi-3.8-1.1.mga2
apache-poi-javadoc-3.8-1.1.mga2
apache-poi-manual-3.8-1.1.mga2
jakarta-poi-3.1-0.0.4.1.mga2
jakarta-poi-javadoc-3.1-0.0.4.1.mga2
jakarta-poi-manual-3.1-0.0.4.1.mga2

from SRPMS:
apache-poi-3.8-1.1.mga2.src.rpm
jakarta-poi-3.1-0.0.4.1.mga2.src.rpm
Comment 8 David Walser 2013-02-08 01:07:22 CET
jakarta-poi removed from Cauldron.

Assigning to QA.  As with the other Java package updates from last year, testing that they install fine should be sufficient.

Advisory:
========================

Updated apache-poi and jakarta-poi packages fix security vulnerability:

It was discovered that Apache POI, a Java implementation of the Microsoft
Office file formats, would allocate arbitrary amounts of memory when
processing crafted documents. This could impact the stability of the Java
virtual machine (CVE-2012-0213).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0213
http://www.debian.org/security/2012/dsa-2468
========================

Updated packages in core/updates_testing:
========================
apache-poi-3.8-1.1.mga2
apache-poi-javadoc-3.8-1.1.mga2
apache-poi-manual-3.8-1.1.mga2
jakarta-poi-3.1-0.0.4.1.mga2
jakarta-poi-javadoc-3.1-0.0.4.1.mga2
jakarta-poi-manual-3.1-0.0.4.1.mga2

from SRPMS:
apache-poi-3.8-1.1.mga2.src.rpm
jakarta-poi-3.1-0.0.4.1.mga2.src.rpm
Comment 9 Dave Hodgins 2013-02-08 03:35:27 CET
No poc, so just testing that jackrabbit works with the updates.
Comment 10 Dave Hodgins 2013-02-08 05:23:25 CET
Gave up trying to figure out jackrabbit, so now I'm just trying to
test apache-poi directly. From 
https://poi.apache.org/spreadsheet/examples.html I ran
wget http://svn.apache.org/repos/asf/poi/trunk/src/examples/src/org/apache/poi/ss/examples/BusinessPlan.java
javac BusinessPlan.java
java BusinessPlan -xls
and it fails with ...
Exception in thread "main" java.lang.NoClassDefFoundError: BusinessPlan (wrong name: org/apache/poi/ss/examples/BusinessPlan)
        at java.lang.ClassLoader.defineClass1(Native Method)
        at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
        at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
        at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:480)

Suggestions?
Comment 11 David Walser 2013-02-08 06:18:12 CET
Is that a regression?
Comment 12 claire robinson 2013-02-09 11:37:20 CET
I get 65 errors with javac BusinessPlan.java and 72 errors with javac CalendarDemo.java and they don't create executables.

It is not a regression though. Not entirely sure we're using it properly.

WDYT?
Comment 13 David Walser 2013-02-09 11:51:18 CET
This Java stuff is tricky.  If it's not a regression, let's push this.

This might help though, this:
Exception in thread "main" java.lang.NoClassDefFoundError: BusinessPlan (wrong
name: org/apache/poi/ss/examples/BusinessPlan)

is because of this at the top of the java file:
package org.apache.poi.ss.examples;

what it means is, it expect the file not to be named BusinessPlan.java in the current working directory, but rather:
org/apache/poi/ss/examples/BusinessPlan/BusinessPlan.java
Comment 14 claire robinson 2013-02-09 12:00:09 CET
Commented that line and it still gives errors with javac for me. No PoC so I think we'll just have to validate on the basis that the update installs ok, as you suggested.

Validating

Advisory & srpms in comment 8

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 15 Thomas Backlund 2013-02-09 13:58:55 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0044

Note You need to log in before you can comment on or make changes to this bug.