[xerces-j2/f19] Add patch for CVE-2013-4002, rhbz #1140031
Mat Booth
mbooth at fedoraproject.org
Wed Sep 10 09:42:58 UTC 2014
commit e81953387eb12ceae2b667e557ccdd1bbb636ce6
Author: Mat Booth <mat.booth at redhat.com>
Date: Wed Sep 10 10:12:33 2014 +0100
Add patch for CVE-2013-4002, rhbz #1140031
- Fix ownership of javadoc directory
.gitignore | 6 ++++-
xerces-j2-CVE-2013-4002.patch | 47 +++++++++++++++++++++++++++++++++++++++++
xerces-j2.spec | 17 +++++++++-----
3 files changed, 63 insertions(+), 7 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 466352a..36e1cf7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,6 @@
-Xerces-J-src.2.9.0.tar.gz
/Xerces-J-src.2.11.0.tar.gz
+/xerces-2_11_0/
+/.project
+/.build-*.log
+/noarch/
+/*.src.rpm
diff --git a/xerces-j2-CVE-2013-4002.patch b/xerces-j2-CVE-2013-4002.patch
new file mode 100644
index 0000000..a2f5516
--- /dev/null
+++ b/xerces-j2-CVE-2013-4002.patch
@@ -0,0 +1,47 @@
+--- src/org/apache/xerces/impl/XMLScanner.java 2013/07/03 18:25:06 1499505
++++ src/org/apache/xerces/impl/XMLScanner.java 2013/07/03 18:29:43 1499506
+@@ -542,7 +542,7 @@
+ // document is until we scan the encoding declaration
+ // you cannot reliably read any characters outside
+ // of the ASCII range here. -- mrglavas
+- String name = fEntityScanner.scanName();
++ String name = scanPseudoAttributeName();
+ XMLEntityManager.print(fEntityManager.getCurrentEntity());
+ if (name == null) {
+ reportFatalError("PseudoAttrNameExpected", null);
+@@ -599,6 +599,35 @@
+ } // scanPseudoAttribute(XMLString):String
+
+ /**
++ * Scans the name of a pseudo attribute. The only legal names
++ * in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'.
++ *
++ * @return the name of the pseudo attribute or <code>null</code>
++ * if a legal pseudo attribute name could not be scanned.
++ */
++ private String scanPseudoAttributeName() throws IOException, XNIException {
++ final int ch = fEntityScanner.peekChar();
++ switch (ch) {
++ case 'v':
++ if (fEntityScanner.skipString(fVersionSymbol)) {
++ return fVersionSymbol;
++ }
++ break;
++ case 'e':
++ if (fEntityScanner.skipString(fEncodingSymbol)) {
++ return fEncodingSymbol;
++ }
++ break;
++ case 's':
++ if (fEntityScanner.skipString(fStandaloneSymbol)) {
++ return fStandaloneSymbol;
++ }
++ break;
++ }
++ return null;
++ } // scanPseudoAttributeName()
++
++ /**
+ * Scans a processing instruction.
+ * <p>
+ * <pre>
diff --git a/xerces-j2.spec b/xerces-j2.spec
index bc61b84..09a5992 100644
--- a/xerces-j2.spec
+++ b/xerces-j2.spec
@@ -4,7 +4,7 @@
Name: xerces-j2
Version: 2.11.0
-Release: 14%{?dist}
+Release: 15%{?dist}
Summary: Java XML parser
Group: Development/Libraries
License: ASL 2.0
@@ -31,6 +31,10 @@ Patch0: %{name}-build.patch
# Patch the manifest so that it includes OSGi stuff
Patch1: %{name}-manifest.patch
+# Backported fix from upstream http://svn.apache.org/viewvc?view=revision&revision=1499506
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1140031
+Patch2: xerces-j2-CVE-2013-4002.patch
+
BuildArch: noarch
BuildRequires: java-devel >= 1:1.6.0
@@ -113,6 +117,7 @@ Requires: %{name} = %{version}-%{release}
%setup -q -n xerces-%{cvs_version}
%patch0 -p0 -b .orig
%patch1 -p0 -b .orig
+%patch2 -p0 -b .orig
# Copy the custom ant tasks into place
mkdir -p tools/org/apache/xerces/util
@@ -206,16 +211,16 @@ update-alternatives --install %{_javadir}/jaxp_parser_impl.jar \
%ghost %{_javadir}/jaxp_parser_impl.jar
%files javadoc
-%{_javadocdir}/%{name}/impl
-%{_javadocdir}/%{name}/xs
-%{_javadocdir}/%{name}/xni
-%{_javadocdir}/%{name}/other
+%{_javadocdir}/%{name}
%files demo
-%defattr(-,root,root,-)
%{_datadir}/%{name}
%changelog
+* Wed Sep 10 2014 Mat Booth <mat.booth at redhat.com> - 2.11.0-15
+- Add patch for CVE-2013-4002, rhbz #1140031
+- Fix ownership of javadoc directory
+
* Mon May 20 2013 Krzysztof Daniel <kdaniel at redhat.com> 2.11.0-13
- Add reexoport to javax.xml.
More information about the scm-commits
mailing list