Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Licensing problem with Adobe's xmp-core >= 5.1.2 #502

Closed
tballison opened this issue Sep 24, 2020 · 5 comments · Fixed by #514
Closed

Licensing problem with Adobe's xmp-core >= 5.1.2 #502

tballison opened this issue Sep 24, 2020 · 5 comments · Fixed by #514

Comments

@tballison
Copy link
Contributor

Over on https://issues.apache.org/jira/browse/TIKA-3204, a user pointed out that versions of xmpcore >= 5.1.2 include

ADOBE CONFIDENTIAL
__________________

Copyright 2011-2016 Adobe Systems Incorporated
All Rights Reserved.

NOTICE: All information contained herein is, and remains
the property of Adobe Systems Incorporated and its suppliers,
if any. The intellectual and technical concepts contained
herein are proprietary to Adobe Systems Incorporated and its
suppliers and may be covered by U.S. and Foreign Patents,
patents in process, and are protected by trade secret or copyright law.
Dissemination of this information or reproduction of this material
is strictly forbidden unless prior written permission is obtained
from Adobe Systems Incorporated.

The problem is that 5.1.2 is vulnerable to an XXE and versions < 6.? are vulnerable to a DoS with too many entities as children of photoshop:DocumentAncestors.

The best solution would be for Adobe to release an update of their latest that fixes the licensing issue.

We've made some inquiries...but that'll probably take some time.

A crummy solution would be to fork 5.1.2, fix the XXE and DoS, but we'd be missing a bunch of improvements, and that'd change the namespace...

I don't have a solution, but I did want to notify you of this licensing problem.

As always, thank you so very much for metadata-extractor!!!
@drewnoakes
Copy link
Owner

Hi @tballison, thanks for reaching out about this. From the discussion on the TIKA issue, there is some suggestion that perhaps https://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html applies and that the library is available under the terms of the BSD license. Do you know whether that is the case?

@tballison
Copy link
Contributor Author

Sorry for my delay! It is available under BSD3, but our user correctly objected to the contradictory license that was included in the jar.

6.1.11 is now available, and the jar contains no license so the EULA applies without contradiction.

@tballison
Copy link
Contributor Author

Somewhat oddly 6.1.11 continues with the .internal. namespace, but this won't be a problem for you! Again, many thanks!

@drewnoakes drewnoakes mentioned this issue Nov 19, 2020
Merged
@drewnoakes
Copy link
Owner

6.1.11 is now available

Fantastic. I've pushed an update. Thanks very much Tim.

@kwhopper
Copy link
Collaborator

Has anyone found the Java source code for 6.1.11? If so, I could go over it and update the XmpCore dotnet project to (more or less) match.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump com.adobe.xmpcore to 6.1.11 drewnoakes/metadata-extractor
3 participants
@drewnoakes @tballison @kwhopper