Hi Faidon, On Fri, Jan 12, 2018 at 07:54:58PM +0100, Moritz Muehlenhoff wrote: > On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote: > > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote: > > > please see http://seclists.org/oss-sec/2016/q2/413 for details. > > > > That link says: > > Versions Affected: > > Apache Tika 0.10 to 1.12 > > > > So perhaps 1.5 isn't affected after all? I tried to find the relevant > > commit in the upstream git but failed :( > > Commit > https://github.com/apache/tika/commit/f444fd784b99b181cd7bd54cdec9fbd132b4ef93 > in 1.17 added a test case, so this might be related to changes in Xerces/J > which are possibly bundled by Tika downloads? Might be worth clarifying with > Tim Allison <talli...@apache.org>.
Above, you said "so perhaps 1.5 isn't affected after all?". But why this conclusion? 1.5 as currently in unstable and oldstable present falls within the affected range of 0.15 and 1.12. The issue is claimed to be fixed in upstream 1.13 (and as Moritz pointed out a test was added. Comparing commits between 1.12 and 1.13 I was unable to isolate the relevant commit(s), but there are some touching the code for "OOXML files and XMP in PDF and other file formats". So yes, maybe Tim Allison can help identify which are the required commits, but best course might just to try to update to the newest upstream version for unstable. Regards, Salvatore
