[
https://issues.apache.org/jira/browse/TIKA-3204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17201634#comment-17201634
]
Tim Allison commented on TIKA-3204:
-----------------------------------
I just confirmed that 5.1.3 also has
{noformat}
ADOBE CONFIDENTIAL
__________________
Copyright 2011-2016 Adobe Systems Incorporated
All Rights Reserved.
NOTICE: All information contained herein is, and remains
the property of Adobe Systems Incorporated and its suppliers,
if any. The intellectual and technical concepts contained
herein are proprietary to Adobe Systems Incorporated and its
suppliers and may be covered by U.S. and Foreign Patents,
patents in process, and are protected by trade secret or copyright law.
Dissemination of this information or reproduction of this material
is strictly forbidden unless prior written permission is obtained
from Adobe Systems Incorporated.
{noformat}
5.1.2, the version that is vulnerable to XXE does not have that license...
> License incompliance with xmp-core 6.1.10
> -----------------------------------------
>
> Key: TIKA-3204
> URL: https://issues.apache.org/jira/browse/TIKA-3204
> Project: Tika
> Issue Type: Improvement
> Reporter: Christian Seipel
> Priority: Major
> Attachments: Screenshot from 2020-09-24 12-16-26.png
>
>
> Apache Tika 1.24.1 (and probably also oder versions) has a dependency to
> xmp-core 6.1.10. Usage of this dependency is incompliant with its license,
> because distribution of xmp-core is strictly forbidden by Adobe unless you
> have written permission to do so.
> *\xmpcore-6.1.10.jar\META-INF\LICENSE*
> ADOBE CONFIDENTIAL
> __________________
> Copyright 2011-2016 Adobe Systems Incorporated
> All Rights Reserved.
> NOTICE: All information contained herein is, and remains
> the property of Adobe Systems Incorporated and its suppliers,
> if any. The intellectual and technical concepts contained
> herein are proprietary to Adobe Systems Incorporated and its
> suppliers and may be covered by U.S. and Foreign Patents,
> patents in process, and are protected by trade secret or copyright law.
> Dissemination of this information or reproduction of this material
> is strictly forbidden unless prior written permission is obtained
> from Adobe Systems Incorporated.
>
> *Here is how it comes into tika:*
> \tika-1.24.1-src.zip\tika-1.24.1\tika-xmp\pom.xml
> <dependency>
> <groupId>org.tallison.xmp</groupId>
> <artifactId>xmpcore-shaded</artifactId>
> <version>6.1.10</version>
> </dependency>
>
> \xmpcore-shaded-6.1.10-sources.jar\META-INF\maven\org.tallison.xmp\xmpcore-shaded\pom.xml
> <dependency>
> <groupId>com.adobe.xmp</groupId>
> <artifactId>xmpcore</artifactId>
> <version>6.1.10</version>
> </dependency>
>
> *In the header of the java files in the sources of xmp-core 6.1.10 is the
> following statement:*
> //
> =================================================================================================
> // ADOBE SYSTEMS INCORPORATED
> // Copyright 2006 Adobe Systems Incorporated
> // All Rights Reserved
> //
> // NOTICE: Adobe permits you to use, modify, and distribute this file in
> accordance with the terms
> // of the Adobe license agreement accompanying it.
> //
> =================================================================================================
> This statement in the header refers to the ADOBE CONFIDENTIAL license
> agreement shown above.
> There is a reference to a BSD license in mavenrepository.com, but when you
> follow this link, you get directed to a website where the BSD license is
> shown together with a link to the source code of xmp-core 5.1.3 only.
> [https://mvnrepository.com/artifact/com.adobe.xmp/xmpcore/6.1.10]
> [https://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
