Bug#1015002: tika: CVE-2022-25169 CVE-2022-30126 CVE-2022-33879

Fri Jul 15 23:37:36 BST 2022

Source: tika
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for tika.

Like all Apache software, their disclosure process is a mess, so we'll
need to reach out to upstream for commits/more detailed information...

CVE-2022-25169[0]:
| The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may
| allocate an unreasonable amount of memory on carefully crafted files.

https://www.openwall.com/lists/oss-security/2022/05/16/4

CVE-2022-30126[1]:
| In Apache Tika, a regular expression in our StandardsText class, used
| by the StandardsExtractingContentHandler could lead to a denial of
| service caused by backtracking on a specially crafted file. This only
| affects users who are running the StandardsExtractingContentHandler,
| which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

https://www.openwall.com/lists/oss-security/2022/05/16/3

CVE-2022-33879[2]:
| The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in
| the StandardsExtractingContentHandler were insufficient, and we found
| a separate, new regex DoS in a different regex in the
| StandardsExtractingContentHandler. These are now fixed in 1.28.4 and
| 2.4.1.

https://www.openwall.com/lists/oss-security/2022/06/27/5

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-25169
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25169
[1] https://security-tracker.debian.org/tracker/CVE-2022-30126
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30126
[2] https://security-tracker.debian.org/tracker/CVE-2022-33879
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33879

Please adjust the affected versions in the BTS as needed.