[jira] [Commented] (COMPRESS-661) commons-compress 1.26.0 breaks Apache Tika 2.9.1

Tue, 05 Mar 2024 04:28:30 -0800 


    [ 
https://issues.apache.org/jira/browse/COMPRESS-661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823588#comment-17823588
 ] 

Tilman Hausherr commented on COMPRESS-661:
------------------------------------------

{code:java}

@Test
public void testCompress661() throws IOException {
    try (InputStream in = 
newInputStream("org/apache/commons/compress/COMPRESS-661/testARofText.ar");
            ArArchiveInputStream archive = new ArArchiveInputStream(new 
BufferedInputStream(in))) {
        assertNotNull(archive.getNextEntry());
        if (archive.markSupported()) {
            // mark() shouldn't be supported, but if it would be,
            // mark+read+reset should not do any harm.
            archive.mark(10);
            archive.read(new byte[10]);
            archive.reset();
        }
        byte[] ba = IOUtils.toByteArray(archive);
        assertEquals("Test d'indexation de Txt\nhttp://www.apache.org\n";, new 
String(ba));
        assertEquals(-1, archive.read());
        assertEquals(-1, archive.read());
        assertNull(archive.getNextEntry());
    }
}
{code}


> commons-compress 1.26.0 breaks Apache Tika 2.9.1
> ------------------------------------------------
>
>                 Key: COMPRESS-661
>                 URL: https://issues.apache.org/jira/browse/COMPRESS-661
>             Project: Commons Compress
>          Issue Type: Bug
>          Components: Compressors
>    Affects Versions: 1.26.0
>            Reporter: Alexander Veit
>            Priority: Critical
>         Attachments: testARofText.ar
>
>
> Apache Commons Compress 1.26.0 fixes
> * https://www.cve.org/CVERecord?id=CVE-2024-25710 and
> * https://www.cve.org/CVERecord?id=CVE-2024-26308.
> We have tried to replace Apache Commons Compress 1.25.0 with 1.26.0 in our 
> deployments in order to fix these security vulnerabilities. But unfortunately 
> now Apache Tika is broken:
> {noformat}
>   org.apache.tika.exception.TikaException: TIKA-198: Illegal IOException from 
> org.apache.tika.parser.iwork.IWorkPackageParser@41fcb910
>     at 
> app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:304)
>     at 
> app//org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
>     at 
> app//org.apache.tika.parser.AutoDetectParser.parse(AutoDetectParser.java:203)
>     at app//org.apache.tika.Tika.parseToString(Tika.java:525)
>     at app//org.apache.tika.Tika.parseToString(Tika.java:495)
>     at ...
>   Caused by: java.io.IOException: Resetting to invalid mark
>     at 
> java.base/java.io.BufferedInputStream.reset(BufferedInputStream.java:446)
>     at 
> org.apache.tika.parser.iwork.IWorkPackageParser.parse(IWorkPackageParser.java:97)
>     at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
>     ... 42 more
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to