CVE-2017-12626

NameCVE-2017-12626
DescriptionApache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs888651

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache-poi-java (PTS)jessie3.10.1-2vulnerable
stretch3.10.1-3vulnerable
buster, sid3.12-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache-poi-javasource(unstable)(unfixed)medium888651

Notes

[stretch] - libapache-poi-java <no-dsa> (Minor issue)
[jessie] - libapache-poi-java <no-dsa> (Minor issue)
[wheezy] - libapache-poi-java <no-dsa> (Minor issue)
https://bz.apache.org/bugzilla/show_bug.cgi?id=61338
https://bz.apache.org/bugzilla/show_bug.cgi?id=61294
https://bz.apache.org/bugzilla/show_bug.cgi?id=52372
https://bz.apache.org/bugzilla/show_bug.cgi?id=61295

Search for package or bug name: Reporting problems