From 87c7195bc79da867ccfc439277229acd808acb03b6d37228f9805cf818c0b0b3 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Tue, 29 Jun 2021 12:04:06 +0000
Subject: [PATCH] Accepting request 903069 from
 home:pmonrealgonzalez:branches:Java:packages

- Security fix: [bsc#1187446, CVE-2021-33813]
  * XXE issue in SAXBuilder can cause a denial of service via
    a crafted HTTP request
- Add jdom2-CVE-2021-33813.patch

OBS-URL: https://build.opensuse.org/request/show/903069
OBS-URL: https://build.opensuse.org/package/show/Java:packages/jdom2?expand=0&rev=10
---
 jdom2-CVE-2021-33813.patch | 69 ++++++++++++++++++++++++++++++++++++++
 jdom2.changes              |  8 +++++
 jdom2.spec                 | 10 +++---
 3 files changed, 83 insertions(+), 4 deletions(-)
 create mode 100644 jdom2-CVE-2021-33813.patch

diff --git a/jdom2-CVE-2021-33813.patch b/jdom2-CVE-2021-33813.patch
new file mode 100644
index 0000000..07a884f
--- /dev/null
+++ b/jdom2-CVE-2021-33813.patch
@@ -0,0 +1,69 @@
+From bd3ab78370098491911d7fe9d7a43b97144a234e Mon Sep 17 00:00:00 2001
+From: Esti <esther.burs@gmail.com>
+Date: Thu, 18 Feb 2021 16:40:01 +0200
+Subject: [PATCH] fix setFeature bug and add test case
+
+---
+ core/src/java/org/jdom2/input/SAXBuilder.java | 10 ++++------
+ .../test/cases/input/TestSAXBuilder.java      | 20 +++++++++++++++++++
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java b/core/src/java/org/jdom2/input/SAXBuilder.java
+index d7105ec6..a1462334 100644
+--- a/core/src/java/org/jdom2/input/SAXBuilder.java
++++ b/core/src/java/org/jdom2/input/SAXBuilder.java
+@@ -971,11 +971,6 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
+ 			}
+ 		}
+ 
+-		// Set any user-specified features on the parser.
+-		for (final Map.Entry<String, Boolean> me : features.entrySet()) {
+-			internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
+-		}
+-
+ 		// Set any user-specified properties on the parser.
+ 		for (final Map.Entry<String, Object> me : properties.entrySet()) {
+ 			internalSetProperty(parser, me.getKey(), me.getValue(), me.getKey());
+@@ -1007,7 +1002,10 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
+ 				// No lexical reporting available
+ 			}
+ 		}
+-
++		// Set any user-specified features on the parser.
++		for (final Map.Entry<String, Boolean> me : features.entrySet()) {
++			internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
++		}
+ 	}
+ 
+ 	/**
+diff --git a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+index 4ef34834..a69380ba 100644
+--- a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
++++ b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+@@ -600,6 +600,26 @@ public void testSetFeature() {
+ 		}
+ 	}
+ 
++	@Test
++	public void testSetExternalFeature() {
++		String feature = "http://xml.org/sax/features/external-general-entities";
++		MySAXBuilder sb = new MySAXBuilder();
++		try {
++			sb.setFeature(feature, true);
++			XMLReader reader = sb.createParser();
++			assertNotNull(reader);
++			assertTrue(reader.getFeature(feature));
++			sb.setFeature(feature, false);
++			reader = sb.createParser();
++			assertNotNull(reader);
++			assertFalse(reader.getFeature(feature));
++
++		} catch (Exception e) {
++			e.printStackTrace();
++			fail("Could not create parser: " + e.getMessage());
++		}
++	}
++
+ 	@Test
+ 	public void testSetProperty() {
+ 		LexicalHandler lh = new LexicalHandler() {
diff --git a/jdom2.changes b/jdom2.changes
index 32b0818..b9f8dde 100644
--- a/jdom2.changes
+++ b/jdom2.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Jun 17 09:17:40 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1187446, CVE-2021-33813]
+  * XXE issue in SAXBuilder can cause a denial of service via
+    a crafted HTTP request
+- Add jdom2-CVE-2021-33813.patch
+
 -------------------------------------------------------------------
 Tue Oct  1 12:07:53 UTC 2019 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/jdom2.spec b/jdom2.spec
index a696419..18c6119 100644
--- a/jdom2.spec
+++ b/jdom2.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package jdom2
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -31,6 +31,8 @@ Source2:        jdom-junit-template.pom
 # Disable gpg signatures
 # Process contrib and junit pom files
 Patch0:         0001-Adapt-build.patch
+# PATCH-FIX-UPSTREAM bsc#1187446 CVE-2021-33813 Fix XXE issue in SAXBuilder
+Patch1:         jdom2-CVE-2021-33813.patch
 BuildRequires:  ant
 BuildRequires:  ant-junit
 BuildRequires:  fdupes
@@ -65,6 +67,7 @@ find -name '*.jar' -delete
 find -name '*.class' -delete
 
 %patch0 -p1
+%patch1 -p1
 
 cp -p %{SOURCE1} maven/contrib.pom
 cp -p %{SOURCE2} maven/junit.pom
@@ -74,11 +77,10 @@ sed -i 's/\r//' LICENSE.txt README.txt
 # Unable to run coverage: use log4j12 but switch to log4j 2.x
 sed -i.coverage "s|coverage, jars|jars|" build.xml
 
+%build
 mkdir lib
 build-jar-repository lib xerces-j2 xml-commons-apis jaxen junit isorelax xalan-j2 xalan-j2-serializer
-
-%build
-ant -Dversion=%{version} -Dcompile.target=6 -Dcompile.source=6 -Dj2se.apidoc=%{_javadocdir}/java maven
+%ant -Dversion=%{version} -Dcompile.target=6 -Dcompile.source=6 -Dj2se.apidoc=%{_javadocdir}/java maven
 
 %install
 # jar