Security issue!!! Update needed of SharpLibZip to 1.3.3

[laurentkempe]

NPOI depends on SharpLibZip 1.3.2 which has the following security issue CVE-2021-32840

So, an update to SharpLibZip 1.3.3 is needed!

[tonyqus]

To workaround, you can directly update SharpZipLib to 1.3.3. The current NPOI release setup Sharpziplib version >1.3.2 not =1.3.2.

[tonyqus]

Looks your company is using NPOI. Can you contribue your use case to #705 ?

[Ryba1986]

NPOI depends on SharpLibZip 1.3.2 which has the following security issue CVE-2021-32840

So, an update to SharpLibZip 1.3.3 is needed!

https://github.com/dotnet-outdated/dotnet-outdated

try command: dotnet outdated -u -t

[victoralvessantos]

I've done it as described, but when I try to generate an xlsx file it throws 500 - Internal server error. The most curious thing is that it happens only in Release. When running in debug, everything runs just fine.

[tonyqus]

@victoralvessantos Do you have the detail call stack?

[victoralvessantos]

Yes, I do. Here it's:

NPOI.POIXMLException ---> System.IO.FileLoadException: Could not load file or assembly 'ICSharpCode.SharpZipLib, Version=1.3.2.10, Culture=neutral, PublicKeyToken=1b03e6acf1164f73' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040) at NPOI.OpenXml4Net.OPC.ZipPackage.GetPartsImpl() at NPOI.OpenXml4Net.OPC.OPCPackage.GetParts() in C:\github\npoi\openxml4Net\OPC\OPCPackage.cs:line 836 at NPOI.OpenXml4Net.OPC.OPCPackage.GetPart(PackagePartName partName) in C:\github\npoi\openxml4Net\OPC\OPCPackage.cs:line 702 at NPOI.OpenXml4Net.OPC.PackageRelationshipCollection..ctor(OPCPackage container, PackagePart part) in C:\github\npoi\openxml4Net\OPC\PackageRelationshipCollection.cs:line 157 at NPOI.OpenXml4Net.OPC.PackagePart.LoadRelationships() in C:\github\npoi\openxml4Net\OPC\PackagePart.cs:line 615 at NPOI.OpenXml4Net.OPC.Internal.PackagePropertiesPart..ctor(OPCPackage pack, PackagePartName partName) in C:\github\npoi\openxml4Net\OPC\Internal\PackagePropertiesPart.cs:line 65 at NPOI.OpenXml4Net.OPC.OPCPackage.ConfigurePackage(OPCPackage pkg) in C:\github\npoi\openxml4Net\OPC\OPCPackage.cs:line 432 at NPOI.OpenXml4Net.OPC.OPCPackage.Create(Stream output) in C:\github\npoi\openxml4Net\OPC\OPCPackage.cs:line 409 at NPOI.XSSF.UserModel.XSSFWorkbook.newPackage(XSSFWorkbookType workbookType) in C:\github\npoi\ooxml\XSSF\UserModel\XSSFWorkbook.cs:line 484 --- End of inner exception stack trace --- at NPOI.XSSF.UserModel.XSSFWorkbook.newPackage(XSSFWorkbookType workbookType) in C:\github\npoi\ooxml\XSSF\UserModel\XSSFWorkbook.cs:line 498 at NPOI.XSSF.UserModel.XSSFWorkbook..ctor(XSSFWorkbookType workbookType) in C:\github\npoi\ooxml\XSSF\UserModel\XSSFWorkbook.cs:line 184 ...

[tonyqus]

754

[piksel]

@victoralvessantos If you want to override the version used, you need to do a binding redirect, see redirect-assembly-versions and how-to-enable-and-disable-automatic-binding-redirection.

It's probably your release configuration that overrides this.

I should also clarify that CVE-2021-32840 only affects tar file extraction, which I hardly think NPOI touches.

[Sureshrcm09]

when we will get a fix.

[tonyqus]

This is not commercial project and it's totally a weekend project. And I have a full time job which means I'm also busy. So please don't push me.

Russian's invasion to Ukraine during the last week also disturbed me a lot from fixing NPOI bugs efficiently. I have to put at least 2 hour efforts each day to collect intelligence/news from Kyiv. I used to work for a company called Selerant. I do know Selerant have a branch in Kyiv. That means someone I know is suffering from the war. Although I'm Chinese, I still love peace.

The planned release of NPOI 2.5.6 will happen in June, 2022. (It used to by late Apri or May. But it's postponed due to Russian's invasion war. You should blame Russia instead of me. )

[Bykiev]

This is not commercial project and it's totally a weekend project. And I have a full time job which means I'm also busy. So please don't push me.

Russian's invasion to Ukraine during the last week also disturbed me a lot from fixing NPOI bugs efficiently. I have to put at least 2 hour efforts each day to collect intelligence/news from Kyiv. I used to work for a company called Selerant. I do know Selerant have a branch in Kyiv. That means someone I know is suffering from the war. Although I'm Chinese, I still love peace.

The planned release of NPOI 2.5.6 will happen in June, 2022. (It used to by late Apri or May. But it's postponed due to Russian's invasion war. You should blame Russia instead of me. )

GitHub is not a place for politics and flooding, please focus on this project

[tonyqus]

Sorry, maybe different people have different options. I NEVER agrees github is NOT a place for politics. I'm in one of the censorship country, China ( a country even worse than Russia, I believe). I see a lot of non-technical projects (but about politics) which are maintained in Github. The most famous one is the zhao repo. This was the major reason Github got DDOS attack from China government with Great Cannon. Github.com is actually a 404 website in China. It has been banned by China government with GFW for a few years.

For me, github is a place to share information (not only code but also knowledge and options). It's actually a social media for developers from my view. You know what, Twitter, facebook are seriously monitored by Chinese polices. It's danger to post political related information or even free options about government in Twitter or facebook. I can show you evidence if you want.

Politics is almost equivalent to life. You can never avoid it during your daily life. It doesn't matter what you are talking about and if it's about the government or breaking event.

I know there are a lot of Russian developers are using NPOI. That's why I don't wanna blame any of them or prevent them from using NPOI because they are innocent. Invasion to Ukraine is the stupid decision from the government instead of them. I think I have kept largest calm on this event instead of adding some new feature like putting blue and yellow on each sheets to support Ukraine. Frankly speaking, I used to think of this one month ago.

And please don't offend me these days because Shanghai is still in lockdown. I've a lot of complaints to my stupid government. Thank you!

Last but not least, Slava Ukraini!

[tonyqus]

I'm thinking updating NPOI 2.5.5 package to reference SharpLibZip 1.3.3. But looks it's not possible to update an existing package. I'll create a new NPOI 2.5.6 package, which will only change the reference to SharpLibZip 1.3.3. The original 2.5.6 release is re-versioned to 2.6.0.

[tonyqus]

• 819

[pranavpandey86]

Hi Owner, Thanks for taking notice to this issue. Ours is very small company and our application was rejected recently by very major company due to this issue. Can you please release 2.5.6 asap! or just let us know timeline! Its just a request nothing like I am trying to push here. Regards.

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Tony Qu @.> Sent: Monday, April 25, 2022 11:31:51 PM To: nissl-lab/npoi @.> Cc: pranavpandey86 @.>; Manual @.> Subject: Re: [nissl-lab/npoi] Security issue!!! Update needed of SharpLibZip to 1.3.3 (Issue #741)

Closed #741https://github.com/nissl-lab/npoi/issues/741.

— Reply to this email directly, view it on GitHubhttps://github.com/nissl-lab/npoi/issues/741#event-6494013904, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AF5QSEMAXSVGO6W6ISVMZPTVG4MNPANCNFSM5NPRTYRA. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[tonyqus]

NPOI 2.5.6 is released today. Please help test if it works.