diff --git a/xerces-j2-bootstrap.changes b/xerces-j2-bootstrap.changes index 3cdcdb1..042cd29 100644 --- a/xerces-j2-bootstrap.changes +++ b/xerces-j2-bootstrap.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Aug 17 11:46:39 UTC 2009 - mvyskocil@suse.cz + +- fixed bnc#530717: VUL-0: xerces-j2: XML parsing vulnerability + ------------------------------------------------------------------- Mon Jan 28 16:59:12 CET 2008 - ro@suse.de diff --git a/xerces-j2-bootstrap.spec b/xerces-j2-bootstrap.spec index 11f9f92..073d650 100644 --- a/xerces-j2-bootstrap.spec +++ b/xerces-j2-bootstrap.spec @@ -1,7 +1,7 @@ # # spec file for package xerces-j2-bootstrap (Version 2.8.1) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,16 +34,19 @@ BuildRequires: update-alternatives Summary: Java XML parser Group: Development/Libraries/Java Version: 2.8.1 -Release: 238 +Release: 239 Requires: xml-commons-which-bootstrap Requires: xml-commons-apis-bootstrap Requires: xml-commons-resolver-bootstrap -License: The Apache Software License +License: Apache Software License .. Group: Development/Libraries/Java AutoReqProv: on Source0: Xerces-J-src.%{version}.tar.bz2 Patch0: xerces-j2-gcj-switch-constants-bug.patch Patch1: xerces-build.patch +#PATCH-FIX-UPSTREAM bnc#530717 +#http://svn.apache.org/viewvc?view=rev&revision=787352 +Patch3: xerces-j2-parsing.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #BuildArchitectures: noarch #ExclusiveArch: %ix86 @@ -78,6 +81,7 @@ Implementation page. %setup -n xerces-%{xerces_version_cvs} %patch0 %patch1 +%patch3 -p1 -b .parsing #<<< #>>> %build @@ -87,6 +91,7 @@ Implementation page. TARGET_DIR=`pwd` CLASSPATH_ORIG="$CLASSPATH" LIB_GCJ="`ls %{_javadir}/libgcj-*.jar`" +export GC_MAXIMUM_HEAP_SIZE="134217728" #>>> delete binary file and files not needed function delBinaryFiles() { set +x @@ -177,16 +182,3 @@ rm -rf $RPM_BUILD_ROOT # vim:fdm=marker:foldmarker=#>>>,#<<<:foldcolumn=6: %changelog -* Mon Jan 28 2008 ro@suse.de -- explicitly buildreq antlr-bootstrap -* Thu Jan 24 2008 skh@suse.de -- fix build with gcj -* Wed May 02 2007 dbornkessel@suse.de -- added unzip to BuildRequires -* Wed Nov 15 2006 dbornkessel@suse.de -- Changed - PreReq: /usr/sbin/update-alternatives - to - PreReq: update-alternatives -* Fri Sep 22 2006 dbornkessel@suse.de -- first version diff --git a/xerces-j2-parsing.patch b/xerces-j2-parsing.patch new file mode 100644 index 0000000..7f09009 --- /dev/null +++ b/xerces-j2-parsing.patch @@ -0,0 +1,19 @@ +Index: xerces-2_8_1/src/org/apache/xerces/impl/XMLScanner.java +=================================================================== +--- xerces-2_8_1.orig/src/org/apache/xerces/impl/XMLScanner.java 2006-09-14 03:23:36.000000000 +0200 ++++ xerces-2_8_1/src/org/apache/xerces/impl/XMLScanner.java 2009-08-17 12:02:22.811296491 +0200 +@@ -1026,6 +1026,14 @@ + if (XMLChar.isMarkup(c) || c == ']') { + fStringBuffer.append((char)fEntityScanner.scanChar()); + } ++ else if (XMLChar.isHighSurrogate(c)) { ++ scanSurrogates(fStringBuffer); ++ } ++ else if (isInvalidLiteral(c)) { ++ reportFatalError("InvalidCharInSystemID", ++ new Object[] { Integer.toHexString(c) }); ++ fEntityScanner.scanChar(); ++ } + } while (fEntityScanner.scanLiteral(quote, ident) != quote); + fStringBuffer.append(ident); + ident = fStringBuffer; diff --git a/xerces-j2.changes b/xerces-j2.changes index cff842a..2b916fd 100644 --- a/xerces-j2.changes +++ b/xerces-j2.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Aug 17 11:44:46 UTC 2009 - mvyskocil@suse.cz + +- fixed bnc#530717: VUL-0: xerces-j2: XML parsing vulnerability +- Removed non used patch xerces-build.patch +- Fixed some rpmlint warnings and errors +- Removed javadoc postinstall scripts +- Removed %%release from subpackages requires + ------------------------------------------------------------------- Wed Nov 12 12:22:20 CET 2008 - mvyskocil@suse.cz diff --git a/xerces-j2.spec b/xerces-j2.spec index 7fa6a26..815937b 100644 --- a/xerces-j2.spec +++ b/xerces-j2.spec @@ -1,7 +1,7 @@ # # spec file for package xerces-j2 (Version 2.8.1) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,18 +26,20 @@ BuildRequires: java-1_5_0-gcj-compat-devel jpackage-utils unzip %define release 3jpp %define section free Version: 2.8.1 -Release: 198 +Release: 199 Summary: Java XML parser -License: The Apache Software License +License: Apache Software License .. Url: http://xml.apache.org/xerces2-j/ Group: Development/Libraries/Java Source0: Xerces-J-src.%{version}.tar.bz2 Source1: %{name}-version.sh Source2: %{name}-constants.sh Source3: Xerces-J-tools.%{version}.tar.bz2 -Patch0: %{name}-build.patch Patch1: java150_build.patch Patch2: %{name}-%{version}_new_unsupported_dom_methods.patch +#PATCH-FIX-UPSTREAM bnc#530717 +#http://svn.apache.org/viewvc?view=rev&revision=787352 +Patch3: xerces-j2-parsing.patch Provides: jaxp_parser_impl PreReq: update-alternatives /bin/ln # some build requirements removed to enable jpackage bootstrap. this is @@ -69,7 +71,7 @@ Implementation page. %package javadoc-impl -License: The Apache Software License +License: Apache Software License .. Summary: Javadoc for xerces-j2 implementation Group: Development/Libraries/Java PreReq: coreutils @@ -100,7 +102,7 @@ implementation. %package javadoc-apis -License: The Apache Software License +License: Apache Software License .. Summary: Javadoc for xerces-j2 apis Group: Development/Libraries/Java PreReq: coreutils @@ -130,8 +132,8 @@ This package contains the javadoc documentation for the Xerces2 APIs. %package javadoc-dom3 -License: The Apache Software License -Summary: Javadoc for xerces-j2 DOM3. +License: Apache Software License .. +Summary: Javadoc for xerces-j2 DOM3 Group: Development/Libraries/Java PreReq: coreutils @@ -160,8 +162,8 @@ This package contains the javadoc documentation for Xerces2 DOM3. %package javadoc-xni -License: The Apache Software License -Summary: Javadoc for xerces-j2 XNI. +License: Apache Software License .. +Summary: Javadoc for xerces-j2 XNI Group: Development/Libraries/Java PreReq: coreutils @@ -190,8 +192,8 @@ This package contains the javadoc documentation for Xerces2 XNI. %package javadoc-other -License: The Apache Software License -Summary: Javadoc for other xerces-j2 components. +License: Apache Software License .. +Summary: Javadoc for other xerces-j2 components Group: Development/Libraries/Java PreReq: coreutils @@ -221,10 +223,10 @@ Xerces2. %package demo -License: The Apache Software License -Summary: Demonstration and sample files for xerces-j2. +License: Apache Software License .. +Summary: Demonstration and sample files for xerces-j2 Group: Development/Libraries/Java -Requires: %{name} = %{version}-%{release} +Requires: %{name} = %{version} %description demo Welcome to the future! Xerces2 is the next generation of high @@ -251,10 +253,10 @@ This package contains demonstration and sample files for Xerces2. %package scripts -License: The Apache Software License -Summary: Additional utility scripts for xerces-j2. +License: Apache Software License .. +Summary: Additional utility scripts for xerces-j2 Group: Development/Libraries/Java -Requires: %{name} = %{version}-%{release} +Requires: %{name} = %{version} Requires: jpackage-utils >= 1.5 %description scripts @@ -282,7 +284,7 @@ This package contains additional utility scripts for Xerces2. %package xml-resolver -License: The Apache Software License +License: Apache Software License .. Summary: Resolver subproject of xml-commons Group: Development/Libraries/Java Requires: jpackage-utils >= 1.5 @@ -300,7 +302,7 @@ This package contains the resolver subproject of xml-commons. %package xml-apis -License: The Apache Software License +License: Apache Software License .. Summary: APIs subproject of xml-commons Group: Development/Libraries/Java Requires: jpackage-utils >= 1.5 @@ -325,19 +327,19 @@ This package contains the APIs subproject of xml-commons. %setup -q -n xerces-%{cvs_version} %setup -q -T -a 3 -D -n xerces-%{cvs_version} %setup -T -D -n xerces-%{cvs_version} -#%patch0 -p1 -b .build %patch1 -p1 %patch2 -p1 +%patch3 -p1 -b .parsing %build ## this uses the ant.jar provided by the xerces packages. Tough luck, # jpackage bootstrap has to start somewhere. It is not installed, # though. +export GC_MAXIMUM_HEAP_SIZE="134217728" sh build.sh jars sh build.sh javadocs %install -rm -rf $RPM_BUILD_ROOT # jars mkdir -p $RPM_BUILD_ROOT%{_javadir} cp -p build/xercesImpl.jar $RPM_BUILD_ROOT%{_javadir}/%{name}-%{version}.jar @@ -388,26 +390,6 @@ ln -s %{_sysconfdir}/alternatives \ %clean rm -rf $RPM_BUILD_ROOT -%post javadoc-apis -rm -f %{_javadocdir}/%{name}-apis -ln -s %{name}-apis-%{version} %{_javadocdir}/%{name}-apis - -%post javadoc-dom3 -rm -f %{_javadocdir}/%{name}-dom3 -ln -s %{name}-dom3-%{version} %{_javadocdir}/%{name}-dom3 - -%post javadoc-impl -rm -f %{_javadocdir}/%{name}-impl -ln -s %{name}-impl-%{version} %{_javadocdir}/%{name}-impl - -%post javadoc-other -rm -f %{_javadocdir}/%{name}-other -ln -s %{name}-other-%{version} %{_javadocdir}/%{name}-other - -%post javadoc-xni -rm -f %{_javadocdir}/%{name}-xni -ln -s %{name}-xni-%{version} %{_javadocdir}/%{name}-xni - %post /usr/sbin/update-alternatives --install %{_javadir}/jaxp_parser_impl.jar jaxp_parser_impl %{_javadir}/%{name}.jar 23 /usr/sbin/update-alternatives --auto jaxp_parser_impl @@ -460,27 +442,27 @@ ln -s %{name}-xni-%{version} %{_javadocdir}/%{name}-xni %files javadoc-impl %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-impl-%{version} -%ghost %doc %{_javadocdir}/%{name}-impl +%doc %{_javadocdir}/%{name}-impl %files javadoc-apis %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-apis-%{version} -%ghost %doc %{_javadocdir}/%{name}-apis +%doc %{_javadocdir}/%{name}-apis %files javadoc-dom3 %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-dom-%{version} -%ghost %doc %{_javadocdir}/%{name}-dom +%doc %{_javadocdir}/%{name}-dom %files javadoc-other %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-other-%{version} -%ghost %doc %{_javadocdir}/%{name}-other +%doc %{_javadocdir}/%{name}-other %files javadoc-xni %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-xni-%{version} -%ghost %doc %{_javadocdir}/%{name}-xni +%doc %{_javadocdir}/%{name}-xni %files demo %defattr(0644,root,root,0755) @@ -491,41 +473,3 @@ ln -s %{name}-xni-%{version} %{_javadocdir}/%{name}-xni %{_bindir}/* %changelog -* Wed Nov 12 2008 mvyskocil@suse.cz -- use gcj for build as this version is not compatible with INM Java6 -- added a jpackage-utils to BuildRequires -* Fri Feb 29 2008 coolo@suse.de -- adding prereq for xml-apis and xml-resolver -* Wed Jan 23 2008 prusnak@suse.cz -- removed comma between symbols in PreReq -* Wed May 02 2007 dbornkessel@suse.de -- added unzip to BuildRequires -* Tue Jan 23 2007 dbornkessel@suse.de -- added dummy methods for not yet supported new dom methods -* Tue Jan 16 2007 dbornkessel@suse.de -- created sub-packages xml-apis and xml-resolver to avoid Bug #232127 -* Wed Nov 15 2006 dbornkessel@suse.de -- Changed - PreReq: /usr/sbin/update-alternatives - to - PreReq: update-alternatives -* Fri Sep 22 2006 dbornkessel@suse.de -- update to 2.8.1 -- added source="1.4" target="1.4" to [x]javac & javadoc ant tasks -* Mon Jan 30 2006 dbornkessel@suse.de -- changed update alternatives prios -- corrected update-alternatives name for 'xml-commons-resolver' -* Fri Jan 27 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Tue Jan 24 2006 dbornkessel@suse.de -- added missing jar file (xml-apis & resolver) -- added xml-apis and resolver to alternative system, so they can be - interchanged with xml-commons-apis and commons-resolver -* Wed Jan 18 2006 dbornkessel@suse.de -- Update to version 2.7.1 -* Wed Sep 28 2005 dmueller@suse.de -- add norootforbuild -* Thu Sep 16 2004 skh@suse.de -- Fix prerequires -* Thu Sep 02 2004 skh@suse.de -- Initial package created with version 2.6.2 (JPackage 1.5)