Accepting request 903069 from home:pmonrealgonzalez:branches:Java:packages

- Security fix: [bsc#1187446, CVE-2021-33813] * XXE issue in SAXBuilder can cause a denial of service via a crafted HTTP request - Add jdom2-CVE-2021-33813.patch OBS-URL: https://build.opensuse.org/request/show/903069 OBS-URL: https://build.opensuse.org/package/show/Java:packages/jdom2?expand=0&rev=10
2021-06-29 12:04:06 +00:00 · 2021-06-29 12:04:06 +00:00 · 87c7195bc7
commit 87c7195bc7
parent 777f4746ec
3 changed files with 83 additions and 4 deletions
--- a/jdom2-CVE-2021-33813.patch
+++ b/jdom2-CVE-2021-33813.patch
@ -0,0 +1,69 @@
+From bd3ab78370098491911d7fe9d7a43b97144a234e Mon Sep 17 00:00:00 2001
+From: Esti <esther.burs@gmail.com>
+Date: Thu, 18 Feb 2021 16:40:01 +0200
+Subject: [PATCH] fix setFeature bug and add test case
+
+---
+ core/src/java/org/jdom2/input/SAXBuilder.java | 10 ++++------
+ .../test/cases/input/TestSAXBuilder.java      | 20 +++++++++++++++++++
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java b/core/src/java/org/jdom2/input/SAXBuilder.java
+index d7105ec6..a1462334 100644
+--- a/core/src/java/org/jdom2/input/SAXBuilder.java
+++ b/core/src/java/org/jdom2/input/SAXBuilder.java
+@@ -971,11 +971,6 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
+ 			}
+ 		}
+ 
+-		// Set any user-specified features on the parser.
+-		for (final Map.Entry<String, Boolean> me : features.entrySet()) {
+-			internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
+-		}
+-
+ 		// Set any user-specified properties on the parser.
+ 		for (final Map.Entry<String, Object> me : properties.entrySet()) {
+ 			internalSetProperty(parser, me.getKey(), me.getValue(), me.getKey());
+@@ -1007,7 +1002,10 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
+ 				// No lexical reporting available
+ 			}
+ 		}
+-
+		// Set any user-specified features on the parser.
+		for (final Map.Entry<String, Boolean> me : features.entrySet()) {
+			internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
+		}
+ 	}
+ 
+ 	/**
+diff --git a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+index 4ef34834..a69380ba 100644
+--- a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+++ b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+@@ -600,6 +600,26 @@ public void testSetFeature() {
+ 		}
+ 	}
+ 
+	@Test
+	public void testSetExternalFeature() {
+		String feature = "http://xml.org/sax/features/external-general-entities";
+		MySAXBuilder sb = new MySAXBuilder();
+		try {
+			sb.setFeature(feature, true);
+			XMLReader reader = sb.createParser();
+			assertNotNull(reader);
+			assertTrue(reader.getFeature(feature));
+			sb.setFeature(feature, false);
+			reader = sb.createParser();
+			assertNotNull(reader);
+			assertFalse(reader.getFeature(feature));
+
+		} catch (Exception e) {
+			e.printStackTrace();
+			fail("Could not create parser: " + e.getMessage());
+		}
+	}
+
+ 	@Test
+ 	public void testSetProperty() {
+ 		LexicalHandler lh = new LexicalHandler() {
--- a/jdom2.changes
+++ b/jdom2.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Jun 17 09:17:40 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1187446, CVE-2021-33813]
+  * XXE issue in SAXBuilder can cause a denial of service via
+    a crafted HTTP request
+- Add jdom2-CVE-2021-33813.patch
+
 -------------------------------------------------------------------
 Tue Oct  1 12:07:53 UTC 2019 - Fridrich Strba <fstrba@suse.com>

--- a/jdom2.spec
+++ b/jdom2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package jdom2
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -31,6 +31,8 @@ Source2:        jdom-junit-template.pom
 # Disable gpg signatures
 # Process contrib and junit pom files
 Patch0:         0001-Adapt-build.patch
+# PATCH-FIX-UPSTREAM bsc#1187446 CVE-2021-33813 Fix XXE issue in SAXBuilder
+Patch1:         jdom2-CVE-2021-33813.patch
 BuildRequires:  ant
 BuildRequires:  ant-junit
 BuildRequires:  fdupes
@ -65,6 +67,7 @@ find -name '*.jar' -delete
 find -name '*.class' -delete

 %patch0 -p1
+%patch1 -p1

 cp -p %{SOURCE1} maven/contrib.pom
 cp -p %{SOURCE2} maven/junit.pom
@ -74,11 +77,10 @@ sed -i 's/\r//' LICENSE.txt README.txt
 # Unable to run coverage: use log4j12 but switch to log4j 2.x
 sed -i.coverage "s|coverage, jars|jars|" build.xml

+%build
 mkdir lib
 build-jar-repository lib xerces-j2 xml-commons-apis jaxen junit isorelax xalan-j2 xalan-j2-serializer
-
-%build
-ant -Dversion=%{version} -Dcompile.target=6 -Dcompile.source=6 -Dj2se.apidoc=%{_javadocdir}/java maven
+%ant -Dversion=%{version} -Dcompile.target=6 -Dcompile.source=6 -Dj2se.apidoc=%{_javadocdir}/java maven

 %install
 # jar