Several CVEs reported for this library
Closed this issue · 2 comments
When running a NVD (National Vulnerability Database) check against this library, the following CVEs were reported for this library:
Thank you for this report.
The CVEs seem to be reported against Apache Tika, not VorbisJava. VorbisJava is used by Tika to extract information about data that are encapsuled in the OGG format.
- "Command Injection Vulnerability in Apache Tika’s tika-server module" I don't see any connection to VorbisJava.
- " A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser." BPG is not part of VorbisJava.
- "A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18." Seems to relate to Chm, this library deals with Ogg and the encapsulated formats, it does not know how to handle CHM, even if it would encapsuled.
Please let me know if I missed something.
As Andreas says, these all seem to be against old versions of Apache Tika, not this library. So, for now, I'm going to close this as Incorrect / invalid report from automating tooling
This library can be used without Tika at all. You only need Apache Tika to compile the parser/detector plugins for Tika, which you then add to your existing Tika install.
We currently try to compile against the oldest possible Tika version we can, to allow as many people as possible to be able to use the latest version of the library as we can. We only bump that up if required.
However, we probably will bump the minimum to Tika 2.0 fairly soon, to incorporate the breaking changes coming there.