Bug 1181223 (CVE-2014-9527)
Summary: | CVE-2014-9527 apache-poi: denial of service in HSLFSlideShow via corrupted PPT file | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acathrow, aileenc, alazarot, bdawidow, bmcclain, brms-jira, chazlett, cperry, dblechte, epp-bugs, etirelli, gvarsami, idith, jbpapp-maint, jcoleman, jolee, jpallich, jrusnack, kconner, ldimaggi, lpetrovi, lsurette, mbaluch, michal.skrivanek, mweiler, mwinkler, nwallace, Rhev-m-bugs, rrajasek, rwagner, rzhang, soa-p-jira, srevivo, tcunning, theute, tkirby, vhalbert, ykaul |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://issues.redhat.com/browse/ENTESB-5382 | ||
Whiteboard: | |||
Fixed In Version: | Apache POI 3.11 | Doc Type: | Bug Fix |
Doc Text: |
A denial of service flaw was found in the way the HSLFSlideShow class implementation in Apache POI handled certain PPT files. A remote attacker could submit a specially crafted PPT file that would cause Apache POI to hang indefinitely.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:37:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1327359, 1327347, 1327348, 1327349, 1327350, 1327351, 1327352, 1327353, 1327354, 1327355 | ||
Bug Blocks: | 1181227, 1335310, 1385169 |
Description
Martin Prpič
2015-01-12 16:00:17 UTC
There are some problems to solve for upgrade Apache Poi to 3.11 #1, i have no idea what license they use these files, used by poi-ooxml* artefacts http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%202%20(PDF).zip http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcmitype.xsd http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd http://uri.etsi.org/01903/v1.3.2/XAdES.xsd http://uri.etsi.org/01903/v1.4.1/XAdESv141.xsd #2 Apache Poi to 3.11 use xml-security 2.x, xml-security update would cause compatibility problems that for now prefer to avoid regards Fixed In Version field of Security Response / vulnerability bugs is used to tracked information about what upstream version fixed specific flaws. apache-poi-3.10.1-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat JBoss Data Virtualization security and bug fix update Via RHSA-2016:1135 https://access.redhat.com/errata/RHSA-2016:1135 |