[apache-poi/f15] CVE-2012-0213 (bugs 799078, 820788)
Orion Poplawski
orion at fedoraproject.org
Fri May 11 04:05:08 UTC 2012
commit 99686c2a2d75b004d8fdbd94d7309a5142754304
Author: Orion Poplawski <orion at cora.nwra.com>
Date: Thu May 10 22:05:01 2012 -0600
CVE-2012-0213 (bugs 799078, 820788)
apache-poi-CVE-2012-0213.patch | 52 ++++++++++++++++++++++++++++++++++++++++
apache-poi.spec | 5 +++-
2 files changed, 56 insertions(+), 1 deletions(-)
---
diff --git a/apache-poi-CVE-2012-0213.patch b/apache-poi-CVE-2012-0213.patch
new file mode 100644
index 0000000..61791f9
--- /dev/null
+++ b/apache-poi-CVE-2012-0213.patch
@@ -0,0 +1,52 @@
+--- src/java/org/apache/poi/poifs/storage/BlockAllocationTableReader.java (revision 18070)
++++ src/java/org/apache/poi/poifs/storage/BlockAllocationTableReader.java (revision 22336)
+@@ -221,12 +221,10 @@
+ } catch(IOException e) {
+ if(currentBlock == headerPropertiesStartBlock) {
+ // Special case where things are in the wrong order
+- System.err.println("Warning, header block comes after data blocks in POIFS block listing");
+ currentBlock = POIFSConstants.END_OF_CHAIN;
+ } else if(currentBlock == 0 && firstPass) {
+ // Special case where the termination isn't done right
+ // on an empty set
+- System.err.println("Warning, incorrectly terminated empty data blocks in POIFS block listing (should end at -2, ended at 0)");
+ currentBlock = POIFSConstants.END_OF_CHAIN;
+ } else {
+ // Ripple up
+--- src/scratchpad/src/org/apache/poi/hwpf/model/PropertyNode.java (revision 18070)
++++ src/scratchpad/src/org/apache/poi/hwpf/model/PropertyNode.java (revision 22336)
+@@ -49,7 +49,6 @@
+ _buf = buf;
+
+ if(_cpStart < 0) {
+- System.err.println("A property claimed to start before zero, at " + _cpStart + "! Resetting it to zero, and hoping for the best");
+ _cpStart = 0;
+ }
+ }
+--- src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java (revision 18070)
++++ src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java (revision 22336)
+@@ -17,6 +17,8 @@
+
+ package org.apache.poi.hwpf.model;
+
++import java.util.Arrays;
++
+ public final class UnhandledDataStructure
+ {
+ byte[] _buf;
+@@ -24,13 +26,12 @@
+ public UnhandledDataStructure(byte[] buf, int offset, int length)
+ {
+ // System.out.println("Yes, using my code");
+- _buf = new byte[length];
+- if (offset + length > buf.length)
++ if (offset + length > buf.length || (offset | length | offset+length) < 0)
+ {
+ throw new IndexOutOfBoundsException("buffer length is " + buf.length +
+ "but code is trying to read " + length + " from offset " + offset);
+ }
+- System.arraycopy(buf, offset, _buf, 0, length);
++ _buf = Arrays.copyOfRange(buf, offset, offset + length);
+ }
+
+ byte[] getBuf()
diff --git a/apache-poi.spec b/apache-poi.spec
index d7a4dd8..04274b8 100644
--- a/apache-poi.spec
+++ b/apache-poi.spec
@@ -2,7 +2,7 @@
Name: apache-poi
Version: 3.7
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: The Java API for Microsoft Documents
Group: Development/Libraries
@@ -173,6 +173,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu May 10 2012 Orion Poplawski <orion at cora.nwra.com> - 3.7-7
+- CVE-2012-0213 (bugs 799078, 820788)
+
* Wed Apr 20 2011 Orion Poplawski <orion at cora.nwra.com> - 3.7-6
- Add BR fontconfig needed for java tests to find fonts
- Fix javadoc link
More information about the scm-commits
mailing list