tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Allison (Jira)" <j...@apache.org>
Subject [jira] [Commented] (TIKA-2952) Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22.
Date Mon, 30 Sep 2019 16:29:00 GMT

    [ https://issues.apache.org/jira/browse/TIKA-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16941113#comment-16941113
] 

Tim Allison commented on TIKA-2952:
-----------------------------------

I haven't had the time to dig into this thoroughly.  I suspect that this might affect Tika.

One of the big problems is that even if metadata-extractor were released with this fix, the
more recent underlying Adobe xmpcore libraries have changed the namespace to com.adobe.internal.*
 So, we'd break a bunch of stuff in our xmp module and elsewhere. I found this when I tried
to upgrade to 2.12.0 before our last release.

In order for this to be fixed correctly, we'd have to find someone at Adobe to release their
external package named code: com.adobe.*, and then have metadata-extractor upgrade to that.

Any fellow devs see a better option?

In general, Tika cannot rely on robustness of underlying parsers, and we encourage separation
of parsing into a different process/jvm than your main code, whether that's through tika-server
with -spawn-child mode or using the ForkParser or using Tika app in batch mode.

That said, we try to do everything we can to fix and upgrade as necessary for more robust
code.

> Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22.
> ---------------------------------------------------------------
>
>                 Key: TIKA-2952
>                 URL: https://issues.apache.org/jira/browse/TIKA-2952
>             Project: Tika
>          Issue Type: Bug
>            Reporter: Aman Mishra
>            Priority: Major
>
> We can see that metadata-extractor with version 2.11.0 is present in tika-bundle 1.22
jar. We can see that even latest metadata-extractor with version 2.12.0 is also vulnerable.
>  
> So please confirm your side that "Is this vulnerability [CVE-2019-14262] is impacting
to tika or not ?"



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message