Source: libapache-poi-java Version: 4.0.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libapache-poi-java. CVE-2025-31672[0]: | Improper Input Validation vulnerability in Apache POI. The issue | affects the parsing of OOXML format files like xlsx, docx and pptx. | These file formats are basically zip files and it is possible for | malicious users to add zip entries with duplicate names (including | the path) in the zip. In this case, products reading the affected | file could read different data because 1 of the zip entries with the | duplicate name is selected over another but different products may | choose a different zip entry. This issue affects Apache POI poi- | ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an | exception if zip entries with duplicate file names are found in the | input file. Users are recommended to upgrade to version poi-ooxml | 5.4.0, which fixes the issue. Please read | https://poi.apache.org/security.html for recommendations about how | to use the POI libraries securely. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-31672 https://www.cve.org/CVERecord?id=CVE-2025-31672 [1] https://www.openwall.com/lists/oss-security/2025/04/08/2 [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=69620 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
