msrb pushed to batik (f21). "Disable external xml entities (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu May 21 10:19:40 UTC 2015
From 0f6a99b182f7e6b3d1d3982face9f55e5a1d32ec Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb at redhat.com>
Date: Thu, 21 May 2015 12:06:56 +0200
Subject: Disable external xml entities
- Resolves: CVE-2015-0250
diff --git a/batik-CVE-2015-0250.patch b/batik-CVE-2015-0250.patch
new file mode 100644
index 0000000..b198890
--- /dev/null
+++ b/batik-CVE-2015-0250.patch
@@ -0,0 +1,54 @@
+--- xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java 2015/03/05 12:42:03 1664334
++++ xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java 2015/03/05 12:53:44 1664335
+@@ -30,26 +30,26 @@
+ import javax.xml.parsers.SAXParser;
+ import javax.xml.parsers.SAXParserFactory;
+
+-import org.apache.batik.util.HaltingThread;
+-import org.apache.batik.util.XMLConstants;
+-
++import org.w3c.dom.DOMImplementation;
++import org.w3c.dom.Document;
++import org.w3c.dom.DocumentType;
++import org.w3c.dom.Element;
++import org.w3c.dom.Node;
+ import org.xml.sax.Attributes;
+ import org.xml.sax.ErrorHandler;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.Locator;
+ import org.xml.sax.SAXException;
+ import org.xml.sax.SAXNotRecognizedException;
++import org.xml.sax.SAXNotSupportedException;
+ import org.xml.sax.SAXParseException;
+ import org.xml.sax.XMLReader;
+ import org.xml.sax.ext.LexicalHandler;
+ import org.xml.sax.helpers.DefaultHandler;
+ import org.xml.sax.helpers.XMLReaderFactory;
+
+-import org.w3c.dom.DOMImplementation;
+-import org.w3c.dom.Document;
+-import org.w3c.dom.DocumentType;
+-import org.w3c.dom.Element;
+-import org.w3c.dom.Node;
++import org.apache.batik.util.HaltingThread;
++import org.apache.batik.util.XMLConstants;
+
+ /**
+ * This class contains methods for creating Document instances
+@@ -399,6 +399,16 @@
+ static SAXParserFactory saxFactory;
+ static {
+ saxFactory = SAXParserFactory.newInstance();
++ try {
++ saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ } catch (SAXNotRecognizedException e) {
++ e.printStackTrace();
++ } catch (SAXNotSupportedException e) {
++ e.printStackTrace();
++ } catch (ParserConfigurationException e) {
++ e.printStackTrace();
++ }
+ }
+
+ /**
diff --git a/batik.spec b/batik.spec
index 6e28fca..7bd3e71 100644
--- a/batik.spec
+++ b/batik.spec
@@ -1,6 +1,6 @@
Name: batik
Version: 1.8
-Release: 0.17.svn1230816%{?dist}
+Release: 0.18.svn1230816%{?dist}
Summary: Scalable Vector Graphics for Java
License: ASL 2.0 and W3C
URL: http://xml.apache.org/batik/
@@ -36,6 +36,7 @@ Patch2: %{name}-script-remove-js.patch
# also make maxmem a bit higher. we seem to need more...
# https://issues.apache.org/jira/browse/BATIK-1065
Patch3: %{name}-javadoc-task-failonerror-and-oom.patch
+Patch4: %{name}-CVE-2015-0250.patch
BuildArch: noarch
@@ -168,6 +169,7 @@ done
%patch2
%patch3
+%patch4 -p3
%build
export CLASSPATH=$(build-classpath xml-commons-apis xml-commons-apis-ext js rhino xalan-j2 xalan-j2-serializer xerces-j2)
@@ -324,6 +326,10 @@ chmod +x $RPM_BUILD_ROOT%{_datadir}/%{name}/contrib/charts/convert.sh
%changelog
+* Thu May 21 2015 Michal Srb <msrb at redhat.com> - 1.8-0.18.svn1230816
+- Disable external xml entities
+- Resolves: CVE-2015-0250
+
* Mon Jan 12 2015 Alexander Kurtakov <akurtako at redhat.com> 1.8-0.17.svn1230816
- Add obsoletes in batik-css to ease updates.
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/batik.git/commit/?h=f21&id=0f6a99b182f7e6b3d1d3982face9f55e5a1d32ec
More information about the scm-commits
mailing list