msrb pushed to batik (f20). "Disable external xml entities (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu May 21 10:29:56 UTC 2015
From a54c46e0fd62aa8d82c3fe1f2292492f3898db5b Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb at redhat.com>
Date: Thu, 21 May 2015 12:06:56 +0200
Subject: Disable external xml entities
- Resolves: CVE-2015-0250
diff --git a/batik-CVE-2015-0250.patch b/batik-CVE-2015-0250.patch
new file mode 100644
index 0000000..b198890
--- /dev/null
+++ b/batik-CVE-2015-0250.patch
@@ -0,0 +1,54 @@
+--- xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java 2015/03/05 12:42:03 1664334
++++ xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java 2015/03/05 12:53:44 1664335
+@@ -30,26 +30,26 @@
+ import javax.xml.parsers.SAXParser;
+ import javax.xml.parsers.SAXParserFactory;
+
+-import org.apache.batik.util.HaltingThread;
+-import org.apache.batik.util.XMLConstants;
+-
++import org.w3c.dom.DOMImplementation;
++import org.w3c.dom.Document;
++import org.w3c.dom.DocumentType;
++import org.w3c.dom.Element;
++import org.w3c.dom.Node;
+ import org.xml.sax.Attributes;
+ import org.xml.sax.ErrorHandler;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.Locator;
+ import org.xml.sax.SAXException;
+ import org.xml.sax.SAXNotRecognizedException;
++import org.xml.sax.SAXNotSupportedException;
+ import org.xml.sax.SAXParseException;
+ import org.xml.sax.XMLReader;
+ import org.xml.sax.ext.LexicalHandler;
+ import org.xml.sax.helpers.DefaultHandler;
+ import org.xml.sax.helpers.XMLReaderFactory;
+
+-import org.w3c.dom.DOMImplementation;
+-import org.w3c.dom.Document;
+-import org.w3c.dom.DocumentType;
+-import org.w3c.dom.Element;
+-import org.w3c.dom.Node;
++import org.apache.batik.util.HaltingThread;
++import org.apache.batik.util.XMLConstants;
+
+ /**
+ * This class contains methods for creating Document instances
+@@ -399,6 +399,16 @@
+ static SAXParserFactory saxFactory;
+ static {
+ saxFactory = SAXParserFactory.newInstance();
++ try {
++ saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ } catch (SAXNotRecognizedException e) {
++ e.printStackTrace();
++ } catch (SAXNotSupportedException e) {
++ e.printStackTrace();
++ } catch (ParserConfigurationException e) {
++ e.printStackTrace();
++ }
+ }
+
+ /**
diff --git a/batik.spec b/batik.spec
index 2ad5da7..992c64c 100644
--- a/batik.spec
+++ b/batik.spec
@@ -1,6 +1,6 @@
Name: batik
Version: 1.8
-Release: 0.11.svn1230816%{?dist}
+Release: 0.12.svn1230816%{?dist}
Summary: Scalable Vector Graphics for Java
License: ASL 2.0 and W3C
URL: http://xml.apache.org/batik/
@@ -43,6 +43,7 @@ Patch3: %{name}-1.6-nosmilInDOMSVGManifest.patch
# also make maxmem a bit higher. we seem to need more...
# https://issues.apache.org/jira/browse/BATIK-1065
Patch4: %{name}-javadoc-task-failonerror-and-oom.patch
+Patch5: %{name}-CVE-2015-0250.patch
BuildArch: noarch
@@ -169,6 +170,7 @@ done
%patch2
%patch4
+%patch5 -p3
%build
export CLASSPATH=$(build-classpath xml-commons-apis xml-commons-apis-ext js rhino xalan-j2 xalan-j2-serializer xerces-j2)
@@ -323,6 +325,10 @@ chmod +x $RPM_BUILD_ROOT%{_datadir}/%{name}/contrib/charts/convert.sh
%changelog
+* Thu May 21 2015 Michal Srb <msrb at redhat.com> - 1.8-0.12.svn1230816
+- Disable external xml entities
+- Resolves: CVE-2015-0250
+
* Thu Jan 16 2014 Stanislav Ochotnicky <sochotnicky at redhat.com> - 1.8-0.11.svn1230816
- Fix classpath for slideshow script
- Change javadoc task maxmem to 512MB to avoid OOM
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/batik.git/commit/?h=f20&id=a54c46e0fd62aa8d82c3fe1f2292492f3898db5b
More information about the scm-commits
mailing list