Accepting request 18073 from Java:packages

Copy from Java:packages/xerces-j2 based on submit request 18073 from user mvyskocil OBS-URL: https://build.opensuse.org/request/show/18073 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xerces-j2?expand=0&rev=13
2009-09-02 16:28:13 +00:00 · 2009-09-02 16:28:13 +00:00 · dd5abfa536
commit dd5abfa536
parent 8dc2e9e0c9
5 changed files with 70 additions and 101 deletions
--- a/xerces-j2-bootstrap.changes
+++ b/xerces-j2-bootstrap.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Aug 17 11:46:39 UTC 2009 - mvyskocil@suse.cz
+
+- fixed bnc#530717: VUL-0: xerces-j2: XML parsing vulnerability
+
 -------------------------------------------------------------------
 Mon Jan 28 16:59:12 CET 2008 - ro@suse.de

--- a/xerces-j2-bootstrap.spec
+++ b/xerces-j2-bootstrap.spec
@ -1,7 +1,7 @@
 #
 # spec file for package xerces-j2-bootstrap (Version 2.8.1)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -34,16 +34,19 @@ BuildRequires:  update-alternatives
 Summary:        Java XML parser
 Group:          Development/Libraries/Java
 Version:        2.8.1
-Release:        238
+Release:        239
 Requires:       xml-commons-which-bootstrap
 Requires:       xml-commons-apis-bootstrap
 Requires:       xml-commons-resolver-bootstrap
-License:        The Apache Software License
+License:        Apache Software License ..
 Group:          Development/Libraries/Java
 AutoReqProv:    on
 Source0:        Xerces-J-src.%{version}.tar.bz2
 Patch0:         xerces-j2-gcj-switch-constants-bug.patch
 Patch1:         xerces-build.patch
+#PATCH-FIX-UPSTREAM bnc#530717
+#http://svn.apache.org/viewvc?view=rev&revision=787352
+Patch3:         xerces-j2-parsing.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #BuildArchitectures: noarch
 #ExclusiveArch: %ix86
@ -78,6 +81,7 @@ Implementation page.
 %setup -n xerces-%{xerces_version_cvs}
 %patch0
 %patch1
+%patch3 -p1 -b .parsing
 #<<<
 #>>> %build 

@ -87,6 +91,7 @@ Implementation page.
 TARGET_DIR=`pwd`
 CLASSPATH_ORIG="$CLASSPATH"
 LIB_GCJ="`ls %{_javadir}/libgcj-*.jar`"
+export GC_MAXIMUM_HEAP_SIZE="134217728"
 #>>> delete binary file and files not needed
 function delBinaryFiles() {
  set +x
@ -177,16 +182,3 @@ rm -rf $RPM_BUILD_ROOT
 # vim:fdm=marker:foldmarker=#>>>,#<<<:foldcolumn=6:

 %changelog
-* Mon Jan 28 2008 ro@suse.de
- explicitly buildreq antlr-bootstrap
-* Thu Jan 24 2008 skh@suse.de
- fix build with gcj
-* Wed May 02 2007 dbornkessel@suse.de
- added unzip to BuildRequires
-* Wed Nov 15 2006 dbornkessel@suse.de
- Changed
-  PreReq: /usr/sbin/update-alternatives
-  to
-  PreReq: update-alternatives
-* Fri Sep 22 2006 dbornkessel@suse.de
- first version
--- a/xerces-j2-parsing.patch
+++ b/xerces-j2-parsing.patch
@ -0,0 +1,19 @@
+Index: xerces-2_8_1/src/org/apache/xerces/impl/XMLScanner.java
+===================================================================
+--- xerces-2_8_1.orig/src/org/apache/xerces/impl/XMLScanner.java	2006-09-14 03:23:36.000000000 +0200
+++ xerces-2_8_1/src/org/apache/xerces/impl/XMLScanner.java	2009-08-17 12:02:22.811296491 +0200
+@@ -1026,6 +1026,14 @@
+                     if (XMLChar.isMarkup(c) || c == ']') {
+                         fStringBuffer.append((char)fEntityScanner.scanChar());
+                     }
+                    else if (XMLChar.isHighSurrogate(c)) {
+                        scanSurrogates(fStringBuffer);
+                    }
+                    else if (isInvalidLiteral(c)) {
+                        reportFatalError("InvalidCharInSystemID",
+                                new Object[] { Integer.toHexString(c) }); 
+                        fEntityScanner.scanChar();
+                    }
+                 } while (fEntityScanner.scanLiteral(quote, ident) != quote);
+                 fStringBuffer.append(ident);
+                 ident = fStringBuffer;
--- a/xerces-j2.changes
+++ b/xerces-j2.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Aug 17 11:44:46 UTC 2009 - mvyskocil@suse.cz
+
+- fixed bnc#530717: VUL-0: xerces-j2: XML parsing vulnerability
+- Removed non used patch xerces-build.patch
+- Fixed some rpmlint warnings and errors
+- Removed javadoc postinstall scripts
+- Removed %%release from subpackages requires
+
 -------------------------------------------------------------------
 Wed Nov 12 12:22:20 CET 2008 - mvyskocil@suse.cz

--- a/xerces-j2.spec
+++ b/xerces-j2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package xerces-j2 (Version 2.8.1)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -26,18 +26,20 @@ BuildRequires:  java-1_5_0-gcj-compat-devel jpackage-utils unzip
 %define release		3jpp
 %define section		free
 Version:        2.8.1
-Release:        198
+Release:        199
 Summary:        Java XML parser
-License:        The Apache Software License
+License:        Apache Software License ..
 Url:            http://xml.apache.org/xerces2-j/
 Group:          Development/Libraries/Java
 Source0:        Xerces-J-src.%{version}.tar.bz2
 Source1:        %{name}-version.sh
 Source2:        %{name}-constants.sh
 Source3:        Xerces-J-tools.%{version}.tar.bz2
-Patch0:         %{name}-build.patch
 Patch1:         java150_build.patch
 Patch2:         %{name}-%{version}_new_unsupported_dom_methods.patch
+#PATCH-FIX-UPSTREAM bnc#530717
+#http://svn.apache.org/viewvc?view=rev&revision=787352
+Patch3:         xerces-j2-parsing.patch
 Provides:       jaxp_parser_impl
 PreReq:         update-alternatives /bin/ln
 # some build requirements removed to enable jpackage bootstrap. this is
@ -69,7 +71,7 @@ Implementation page.


 %package        javadoc-impl
-License:        The Apache Software License
+License:        Apache Software License ..
 Summary:        Javadoc for xerces-j2 implementation
 Group:          Development/Libraries/Java
 PreReq:         coreutils
@ -100,7 +102,7 @@ implementation.


 %package        javadoc-apis
-License:        The Apache Software License
+License:        Apache Software License ..
 Summary:        Javadoc for xerces-j2 apis
 Group:          Development/Libraries/Java
 PreReq:         coreutils
@ -130,8 +132,8 @@ This package contains the javadoc documentation for the Xerces2 APIs.


 %package        javadoc-dom3
-License:        The Apache Software License
-Summary:        Javadoc for xerces-j2 DOM3.
+License:        Apache Software License ..
+Summary:        Javadoc for xerces-j2 DOM3
 Group:          Development/Libraries/Java
 PreReq:         coreutils

@ -160,8 +162,8 @@ This package contains the javadoc documentation for Xerces2 DOM3.


 %package        javadoc-xni
-License:        The Apache Software License
-Summary:        Javadoc for xerces-j2 XNI.
+License:        Apache Software License ..
+Summary:        Javadoc for xerces-j2 XNI
 Group:          Development/Libraries/Java
 PreReq:         coreutils

@ -190,8 +192,8 @@ This package contains the javadoc documentation for Xerces2 XNI.


 %package        javadoc-other
-License:        The Apache Software License
-Summary:        Javadoc for other xerces-j2 components.
+License:        Apache Software License ..
+Summary:        Javadoc for other xerces-j2 components
 Group:          Development/Libraries/Java
 PreReq:         coreutils

@ -221,10 +223,10 @@ Xerces2.


 %package        demo
-License:        The Apache Software License
-Summary:        Demonstration and sample files for xerces-j2.
+License:        Apache Software License ..
+Summary:        Demonstration and sample files for xerces-j2
 Group:          Development/Libraries/Java
-Requires:       %{name} = %{version}-%{release}
+Requires:       %{name} = %{version}

 %description    demo
 Welcome to the future! Xerces2 is the next generation of high
@ -251,10 +253,10 @@ This package contains demonstration and sample files for Xerces2.


 %package        scripts
-License:        The Apache Software License
-Summary:        Additional utility scripts for xerces-j2.
+License:        Apache Software License ..
+Summary:        Additional utility scripts for xerces-j2
 Group:          Development/Libraries/Java
-Requires:       %{name} = %{version}-%{release}
+Requires:       %{name} = %{version}
 Requires:       jpackage-utils >= 1.5

 %description    scripts
@ -282,7 +284,7 @@ This package contains additional utility scripts for Xerces2.


 %package        xml-resolver
-License:        The Apache Software License
+License:        Apache Software License ..
 Summary:        Resolver subproject of xml-commons
 Group:          Development/Libraries/Java
 Requires:       jpackage-utils >= 1.5
@ -300,7 +302,7 @@ This package contains the resolver subproject of xml-commons.


 %package        xml-apis
-License:        The Apache Software License
+License:        Apache Software License ..
 Summary:        APIs subproject of xml-commons
 Group:          Development/Libraries/Java
 Requires:       jpackage-utils >= 1.5
@ -325,19 +327,19 @@ This package contains the APIs subproject of xml-commons.
 %setup -q -n xerces-%{cvs_version}
 %setup -q -T -a 3 -D -n xerces-%{cvs_version}
 %setup -T -D -n xerces-%{cvs_version}
-#%patch0 -p1 -b .build
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1 -b .parsing

 %build
 ## this uses the ant.jar provided by the xerces packages. Tough luck,
 # jpackage bootstrap has to start somewhere. It is not installed,
 # though.
+export GC_MAXIMUM_HEAP_SIZE="134217728"
 sh build.sh jars
 sh build.sh javadocs

 %install
-rm -rf $RPM_BUILD_ROOT
 # jars
 mkdir -p $RPM_BUILD_ROOT%{_javadir}
 cp -p build/xercesImpl.jar $RPM_BUILD_ROOT%{_javadir}/%{name}-%{version}.jar
@ -388,26 +390,6 @@ ln -s %{_sysconfdir}/alternatives \
 %clean
 rm -rf $RPM_BUILD_ROOT

-%post javadoc-apis
-rm -f %{_javadocdir}/%{name}-apis
-ln -s %{name}-apis-%{version} %{_javadocdir}/%{name}-apis
-
-%post javadoc-dom3
-rm -f %{_javadocdir}/%{name}-dom3
-ln -s %{name}-dom3-%{version} %{_javadocdir}/%{name}-dom3
-
-%post javadoc-impl
-rm -f %{_javadocdir}/%{name}-impl
-ln -s %{name}-impl-%{version} %{_javadocdir}/%{name}-impl
-
-%post javadoc-other
-rm -f %{_javadocdir}/%{name}-other
-ln -s %{name}-other-%{version} %{_javadocdir}/%{name}-other
-
-%post javadoc-xni
-rm -f %{_javadocdir}/%{name}-xni
-ln -s %{name}-xni-%{version} %{_javadocdir}/%{name}-xni
-
 %post
 /usr/sbin/update-alternatives --install %{_javadir}/jaxp_parser_impl.jar jaxp_parser_impl  %{_javadir}/%{name}.jar 23
 /usr/sbin/update-alternatives --auto jaxp_parser_impl
@ -460,27 +442,27 @@ ln -s %{name}-xni-%{version} %{_javadocdir}/%{name}-xni
 %files javadoc-impl
 %defattr(0644,root,root,0755)
 %doc %{_javadocdir}/%{name}-impl-%{version}
-%ghost %doc %{_javadocdir}/%{name}-impl
+%doc %{_javadocdir}/%{name}-impl

 %files javadoc-apis
 %defattr(0644,root,root,0755)
 %doc %{_javadocdir}/%{name}-apis-%{version}
-%ghost %doc %{_javadocdir}/%{name}-apis
+%doc %{_javadocdir}/%{name}-apis

 %files javadoc-dom3
 %defattr(0644,root,root,0755)
 %doc %{_javadocdir}/%{name}-dom-%{version}
-%ghost %doc %{_javadocdir}/%{name}-dom
+%doc %{_javadocdir}/%{name}-dom

 %files javadoc-other
 %defattr(0644,root,root,0755)
 %doc %{_javadocdir}/%{name}-other-%{version}
-%ghost %doc %{_javadocdir}/%{name}-other
+%doc %{_javadocdir}/%{name}-other

 %files javadoc-xni
 %defattr(0644,root,root,0755)
 %doc %{_javadocdir}/%{name}-xni-%{version}
-%ghost %doc %{_javadocdir}/%{name}-xni
+%doc %{_javadocdir}/%{name}-xni

 %files demo
 %defattr(0644,root,root,0755)
@ -491,41 +473,3 @@ ln -s %{name}-xni-%{version} %{_javadocdir}/%{name}-xni
 %{_bindir}/*

 %changelog
-* Wed Nov 12 2008 mvyskocil@suse.cz
- use gcj for build as this version is not compatible with INM Java6
- added a jpackage-utils to BuildRequires
-* Fri Feb 29 2008 coolo@suse.de
- adding prereq for xml-apis and xml-resolver
-* Wed Jan 23 2008 prusnak@suse.cz
- removed comma between symbols in PreReq
-* Wed May 02 2007 dbornkessel@suse.de
- added unzip to BuildRequires
-* Tue Jan 23 2007 dbornkessel@suse.de
- added dummy methods for not yet supported new dom methods
-* Tue Jan 16 2007 dbornkessel@suse.de
- created sub-packages xml-apis and xml-resolver to avoid Bug #232127
-* Wed Nov 15 2006 dbornkessel@suse.de
- Changed
-  PreReq: /usr/sbin/update-alternatives
-  to
-  PreReq: update-alternatives
-* Fri Sep 22 2006 dbornkessel@suse.de
- update to 2.8.1
- added source="1.4" target="1.4" to [x]javac & javadoc ant tasks
-* Mon Jan 30 2006 dbornkessel@suse.de
- changed update alternatives prios
- corrected update-alternatives name for 'xml-commons-resolver'
-* Fri Jan 27 2006 mls@suse.de
- converted neededforbuild to BuildRequires
-* Tue Jan 24 2006 dbornkessel@suse.de
- added missing jar file (xml-apis & resolver)
- added xml-apis and resolver to alternative system, so they can be
-  interchanged with xml-commons-apis and commons-resolver
-* Wed Jan 18 2006 dbornkessel@suse.de
- Update to version 2.7.1
-* Wed Sep 28 2005 dmueller@suse.de
- add norootforbuild
-* Thu Sep 16 2004 skh@suse.de
- Fix prerequires
-* Thu Sep 02 2004 skh@suse.de
- Initial package created with version 2.6.2 (JPackage 1.5)