CVE-2020-9489

NameCVE-2020-9489
DescriptionA carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs984666

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tika (PTS)jessie, jessie (lts)1.5-1+deb8u1vulnerable
buster1.20-1vulnerable
sid, bullseye1.22-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tikasource(unstable)(unfixed)984666

Notes

[bullseye] - tika <no-dsa> (Minor issue)
[buster] - tika <no-dsa> (Minor issue)
[jessie] - tika <ignored> (the fix is too invasive to backport)
https://www.openwall.com/lists/oss-security/2020/04/24/1

Search for package or bug name: Reporting problems