You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Nick Burch (Jira)" <ji...@apache.org> on 2021/09/21 14:57:00 UTC
[jira] [Commented] (TIKA-3558) vulnerability detected in
vorbis-tika-java
[ https://issues.apache.org/jira/browse/TIKA-3558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17418157#comment-17418157 ]
Nick Burch commented on TIKA-3558:
----------------------------------
That seems to be a vulnerability in the libflac C code, so shouldn't affect the library we use as that's pure Java and a fresh implementation
In terms of the library not having any recent releases, generally the basics are all there and nicely stable, but there is still more that could be implemented if any volunteers wanted to assist!
There's improvements needed in how to map metadata from files with multiple substreams (eg video + multiple audio), improving multi-stream detection using Ogg Skeleton / Annodex or CMML, extracting song lyrics from Kate streams etc.
> vulnerability detected in vorbis-tika-java
> ------------------------------------------
>
> Key: TIKA-3558
> URL: https://issues.apache.org/jira/browse/TIKA-3558
> Project: Tika
> Issue Type: Bug
> Affects Versions: 1.27
> Reporter: brent jackson
> Priority: Major
>
> we recently had a user report that a security scan on tika-app-1.25 discovered a vulernability in vorbis-tika-java. specifically:
>
> [https://nvd.nist.gov/vuln/detail/CVE-2017-6888]
> (detected on tika-app-1.25.jar/META-INF/maven/org.gagravarr/vorbis-java-tika/pom.xml)
>
> i checked 1.27 and the org.gagravarr classes have not been updated (they all date from 2016). has this vulnerability been addressed? or is it a false positive? thanks.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)