Bug 750164 - VUL-0: jakarta-poi out of memory when parsing certain files
VUL-0: jakarta-poi out of memory when parsing certain files
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2012-03-02 15:27 UTC by Ludwig Nussel
Modified: 2012-06-04 15:00 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2012-03-02 15:27:29 UTC
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

From: Florian Weimer <fw@deneb.enyo.de>
To: distros@vs.openwall.org
Subject: [vs-plain] OOM in Apache (Jarkata) POI (CVE-2012-0213)


When processing certain malformed CDF/CFBF files, Apache POI (a Java
library for processing Office document formats) allocates arrays with
arbitrary sizes, as specified in the input document.  This results in
an OutOfMemoryError exception, but not necessarily in the thread
processing the malformed file, destabilizing the JVM
Comment 7 Ludwig Nussel 2012-05-14 09:09:43 UTC
Public meanwhile:
Comment 8 Matthias Weckbecker 2012-05-16 09:07:06 UTC
Note: Package is only shipped in openSUSE.
Comment 9 Michal Vyskocil 2012-05-16 13:25:25 UTC
11.4: 121197
12.1: 121198
factory: TBD
Comment 10 Michal Vyskocil 2012-05-18 07:25:31 UTC
factory: commited latest upstream version and adapted the patch
Comment 11 Ludwig Nussel 2012-05-29 09:47:15 UTC
Comment 12 Swamp Workflow Management 2012-05-29 10:09:33 UTC
openSUSE-SU-2012:0654-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 750164
CVE References: CVE-2012-0213
Sources used:
openSUSE 12.1 (src):    jakarta-poi-2.5.1-12.4.1
openSUSE 11.4 (src):    jakarta-poi-2.5.1-12.1
Comment 13 Bernhard Wiedemann 2012-06-04 15:00:31 UTC
This is an autogenerated message for OBS integration:
This bug (750164) was mentioned in
https://build.opensuse.org/request/show/123506 Evergreen:11.2 / jakarta-poi