You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Andreas Beeker <ki...@apache.org> on 2017/09/16 22:06:57 UTC

[ANNOUNCE] Apache POI 3.17 released

The Apache POI project is pleased to announce the release of POI 3.17.
Featured are a handful of new areas of functionality, and numerous bug fixes.

See the downloads page for binary and source distributions:
https://poi.apache.org/download.html

Note: The Apache Software Foundation uses an extensive mirroring network for
distributing releases. It is possible that the mirror you are using may not
have replicated the release yet. If that is the case, please try another mirror.
This also goes for Maven access.


Release Notes

Changes
------------
The most notable changes in this release are:

- Various modules: add sanity checks and fix infinite loops / OOMs caused by fuzzed data
- OPC: fix linebreak handling on XML signature calculation (#61182)
- SS Common: fix number formatting (github-43/52, #60422)
- SXSSF: fix XML processing - unicode surrogates and line breaks (#61048, #61246)

POI 3.17 is the last release to support Java 6.
The next release will be 4.0.0 and supports min. Java 8.

A full list of changes is available in the change log: https://poi.apache.org/changes.html.

People interested should also follow the dev mailing list to track further progress.

Release Contents
----------------

This release comes in two forms:
 - pre-built binaries containing compiled versions of all Apache POI components and documentation
   (poi-bin-3.17-20170915.zip or poi-bin-3.17-20170915.tar.gz)
 - source archive you can build POI from
   (poi-src-3.17-20170915.zip or poi-src-3.17-20170915.tar.gz)

Unpack the archive and use the following command to build all POI components with
Apache Ant 1.8+ and JDK 1.6 or higher:

  ant jar

Pre-built versions of all POI components are also available in the central Maven repository
under Group ID "org.apache.poi" and Version "3.17"

All release artifacts are accompanied by MD5 checksums and PGP signatures
that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/poi/tags/REL_3_17_FINAL/KEYS


About Apache POI
-----------------------

Apache POI is well-known in the Java field as a library for reading and
writing Microsoft Office file formats, such as Excel, PowerPoint, Word,
Visio, Publisher and Outlook. It supports both the older (OLE2) and
new (OOXML - Office Open XML) formats.

See https://poi.apache.org/ for more details

On behalf of the Apache POI PMC,
Andi

RE: RE: [ANNOUNCE] Apache POI 3.17 released

Posted by "Allison, Timothy B." <ta...@mitre.org>.
Thank you for the ping.  I'll respond now, and we can discuss from there.

-----Original Message-----
From: Javen O'Neal [mailto:onealj@apache.org] 
Sent: Wednesday, September 27, 2017 11:39 AM
To: POI Users List <us...@poi.apache.org>
Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released

Any other opinions on if and how many CVEs we need to request? We need to.get back to the requestor.

On Sep 20, 2017 1:38 PM, "pj.fanning" <fa...@yahoo.com> wrote:

> Would it be possible to consider moving the H??F code to a separate jar?
> That
> is, having the shared code in poi.jar but the X??F impls in 
> poi-ooxml.jar and the H??F impls in poi-legacy.jar (or some better name).
> I would assume that a lot of the CVEs would relate to H??F code.
> In my team, we only use the XSSF code and our Security team disapprove 
> of us using jar versions with any CVEs listed for them. poi-ooxml.jar 
> depends on poi.jar and any H??F related CVEs would affect the poi.jar 
> as things stand.
>
>
>
> --
> Sent from: 
> http://apache-poi.1045710.n5.nabble.com/POI-User-f2280730.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional 
> commands, e-mail: user-help@poi.apache.org
>
>

Re: RE: [ANNOUNCE] Apache POI 3.17 released

Posted by Javen O'Neal <on...@apache.org>.
Any other opinions on if and how many CVEs we need to request? We need
to.get back to the requestor.

On Sep 20, 2017 1:38 PM, "pj.fanning" <fa...@yahoo.com> wrote:

> Would it be possible to consider moving the H??F code to a separate jar?
> That
> is, having the shared code in poi.jar but the X??F impls in poi-ooxml.jar
> and the H??F impls in poi-legacy.jar (or some better name).
> I would assume that a lot of the CVEs would relate to H??F code.
> In my team, we only use the XSSF code and our Security team disapprove of
> us
> using jar versions with any CVEs listed for them. poi-ooxml.jar depends on
> poi.jar and any H??F related CVEs would affect the poi.jar as things stand.
>
>
>
> --
> Sent from: http://apache-poi.1045710.n5.nabble.com/POI-User-f2280730.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
> For additional commands, e-mail: user-help@poi.apache.org
>
>

Re: RE: [ANNOUNCE] Apache POI 3.17 released

Posted by "pj.fanning" <fa...@yahoo.com>.
Would it be possible to consider moving the H??F code to a separate jar? That
is, having the shared code in poi.jar but the X??F impls in poi-ooxml.jar
and the H??F impls in poi-legacy.jar (or some better name).
I would assume that a lot of the CVEs would relate to H??F code.
In my team, we only use the XSSF code and our Security team disapprove of us
using jar versions with any CVEs listed for them. poi-ooxml.jar depends on
poi.jar and any H??F related CVEs would affect the poi.jar as things stand.



--
Sent from: http://apache-poi.1045710.n5.nabble.com/POI-User-f2280730.html

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org

RE: RE: [ANNOUNCE] Apache POI 3.17 released

Posted by "Allison, Timothy B." <ta...@mitre.org>.
I'm sorry for taking so long to get back to you.  After discussing with fellow devs, we'd prefer not to open a separate CVE for each item.  In looking at the items you helpfully gathered, we can categorize by type of problem and file formats affected.  I don't think we need to open a CVE for NPE or other parse exceptions (61286, 61287, 61059, pull53).  For the others, we could open a single CVE based on the poi-release (hey, these are now fixed in version 3.17) or we might open two -- one for permanent hangs, one for OOM?  My preference would be one CVE based on POI release.  

A full description in that one CVE will allow users to determine if 3.17 would protect them based on file type -- your main goal, right?

To fellow Devs and David, how does this sound?

DETAILS:

This is my understanding, please let me know if I've missed any or misunderstood the impacts.

61338 permanent hang : WMF
61295 OOM :doc, ppt, xls
61294 permanent hang : macros, wmf, emf, msg
52372 OOM: doc, ppt, xls

61286, 61287, 61059, pull 53 -- not an OOM or permahang

-----Original Message-----
From: davidedillard@gmail.com [mailto:davidedillard@gmail.com] 
Sent: Tuesday, September 19, 2017 2:44 PM
To: user@poi.apache.org
Subject: Re: RE: [ANNOUNCE] Apache POI 3.17 released

On 2017-09-19 07:56, "Allison, Timothy B." <ta...@mitre.org> wrote: 
> David,
>   Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper work.  Single CVE or multiple?
> 

My suggestion would be one CVE for each issue.  That way if a consuming project isn't affected by a particular vulnerability (e.g. the vulnerabilities affect a file type that the consumer doesn't use) they can avoid upgrading right away.

I believe the following are all vulnerabilities listed in the change log as being fixed since 3.16:

- 61338, "Avoid infinite loop in corrupt wmf"
- 61295, "Vector.read -- Java heap space on corrupt file"
- 61300, "Very slow processing on corrupted file"
- 61286, "can not deal with WriteProtectRecord element"
- 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of length 0"
- 61294, "IOUtils.skipFully can run into infinite loop"
- 61059, "Fix incorrect use of short when unsigned short was required in NamePtg"
- pull 53, "Adding Null Pointer check"
- 52372, "OutOfMemoryError parsing a word file"

The good news is that all of these are denial of service vulnerabilities, which aren't too serious.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional commands, e-mail: user-help@poi.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org

Re: RE: [ANNOUNCE] Apache POI 3.17 released

Posted by "davidedillard@gmail.com" <da...@gmail.com>.
On 2017-09-19 07:56, "Allison, Timothy B." <ta...@mitre.org> wrote: 
> David,
>   Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper work.  Single CVE or multiple?
> 

My suggestion would be one CVE for each issue.  That way if a consuming project isn't affected by a particular vulnerability (e.g. the vulnerabilities affect a file type that the consumer doesn't use) they can avoid upgrading right away.

I believe the following are all vulnerabilities listed in the change log as being fixed since 3.16:

- 61338, "Avoid infinite loop in corrupt wmf"
- 61295, "Vector.read -- Java heap space on corrupt file"
- 61300, "Very slow processing on corrupted file"
- 61286, "can not deal with WriteProtectRecord element"
- 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of length 0"
- 61294, "IOUtils.skipFully can run into infinite loop"
- 61059, "Fix incorrect use of short when unsigned short was required in NamePtg"
- pull 53, "Adding Null Pointer check"
- 52372, "OutOfMemoryError parsing a word file"

The good news is that all of these are denial of service vulnerabilities, which aren't too serious.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org

RE: [ANNOUNCE] Apache POI 3.17 released

Posted by Javen O'Neal <on...@apache.org>.
+1, two CVE's.

On Sep 19, 2017 05:00, "Allison, Timothy B." <ta...@mitre.org> wrote:

> Resending with proper cc.  Thank you, Nick!
>
> -----Original Message-----
> From: Allison, Timothy B.
> Sent: Tuesday, September 19, 2017 7:57 AM
> To: user@poi.apache.org
> Subject: RE: [ANNOUNCE] Apache POI 3.17 released
>
> David,
>   Thank you for raising this issue.  If fellow devs are +1, I can fill out
> the paper work.  Single CVE or multiple?
>
>       Best,
>
>              Tim
>
> -----Original Message-----
> From: davidedillard@gmail.com [mailto:davidedillard@gmail.com]
> Sent: Monday, September 18, 2017 12:40 PM
> To: user@poi.apache.org
> Subject: Re: [ANNOUNCE] Apache POI 3.17 released
>
> On 2017-09-16 18:06, Andreas Beeker <ki...@apache.org> wrote:
> > The Apache POI project is pleased to announce the release of POI 3.17.
> > Featured are a handful of new areas of functionality, and numerous bug
> fixes.
> > Changes
> > ------------
> > The most notable changes in this release are:
> >
> > - Various modules: add sanity checks and fix infinite loops / OOMs
> > caused by fuzzed data
>
> I've looked through the specific changes and several appear to be
> vulnerabilities (e.g. 61294 and 61300 among others).  Is the POI project
> planning to get CVEs for these issues?  If not, I'm happy to get them
> myself.  It makes the world a better place :-)
>
>
> Thanks,
>
> David
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional
> commands, e-mail: user-help@poi.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
> For additional commands, e-mail: user-help@poi.apache.org
>
>

RE: [ANNOUNCE] Apache POI 3.17 released

Posted by "Allison, Timothy B." <ta...@mitre.org>.
Resending with proper cc.  Thank you, Nick!

-----Original Message-----
From: Allison, Timothy B. 
Sent: Tuesday, September 19, 2017 7:57 AM
To: user@poi.apache.org
Subject: RE: [ANNOUNCE] Apache POI 3.17 released

David,
  Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper work.  Single CVE or multiple?

      Best,

             Tim

-----Original Message-----
From: davidedillard@gmail.com [mailto:davidedillard@gmail.com] 
Sent: Monday, September 18, 2017 12:40 PM
To: user@poi.apache.org
Subject: Re: [ANNOUNCE] Apache POI 3.17 released

On 2017-09-16 18:06, Andreas Beeker <ki...@apache.org> wrote: 
> The Apache POI project is pleased to announce the release of POI 3.17.
> Featured are a handful of new areas of functionality, and numerous bug fixes.
> Changes
> ------------
> The most notable changes in this release are:
> 
> - Various modules: add sanity checks and fix infinite loops / OOMs 
> caused by fuzzed data

I've looked through the specific changes and several appear to be vulnerabilities (e.g. 61294 and 61300 among others).  Is the POI project planning to get CVEs for these issues?  If not, I'm happy to get them myself.  It makes the world a better place :-)


Thanks,

David

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional commands, e-mail: user-help@poi.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org

RE: [ANNOUNCE] Apache POI 3.17 released

Posted by "Allison, Timothy B." <ta...@mitre.org>.
David,
  Thank you for raising this issue.  If fellow devs are +1, I can fill out the paper work.  Single CVE or multiple?

      Best,

             Tim

-----Original Message-----
From: davidedillard@gmail.com [mailto:davidedillard@gmail.com] 
Sent: Monday, September 18, 2017 12:40 PM
To: user@poi.apache.org
Subject: Re: [ANNOUNCE] Apache POI 3.17 released

On 2017-09-16 18:06, Andreas Beeker <ki...@apache.org> wrote: 
> The Apache POI project is pleased to announce the release of POI 3.17.
> Featured are a handful of new areas of functionality, and numerous bug fixes.
> Changes
> ------------
> The most notable changes in this release are:
> 
> - Various modules: add sanity checks and fix infinite loops / OOMs 
> caused by fuzzed data

I've looked through the specific changes and several appear to be vulnerabilities (e.g. 61294 and 61300 among others).  Is the POI project planning to get CVEs for these issues?  If not, I'm happy to get them myself.  It makes the world a better place :-)


Thanks,

David

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org For additional commands, e-mail: user-help@poi.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org

Re: [ANNOUNCE] Apache POI 3.17 released

Posted by "davidedillard@gmail.com" <da...@gmail.com>.
On 2017-09-16 18:06, Andreas Beeker <ki...@apache.org> wrote: 
> The Apache POI project is pleased to announce the release of POI 3.17.
> Featured are a handful of new areas of functionality, and numerous bug fixes.
> Changes
> ------------
> The most notable changes in this release are:
> 
> - Various modules: add sanity checks and fix infinite loops / OOMs caused by fuzzed data

I've looked through the specific changes and several appear to be vulnerabilities (e.g. 61294 and 61300 among others).  Is the POI project planning to get CVEs for these issues?  If not, I'm happy to get them myself.  It makes the world a better place :-)


Thanks,

David

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org