From 20f095e59bbcf1b03eae03c34374e3303d25e894699f9b4941e5dd4e1dd0a066 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Fri, 1 Mar 2024 19:45:49 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/Java:packages/xmlgraphics-batik?expand=0&rev=65

---
 batik-build.tar.xz                     |  4 +--
 batik-src-1.15.tar.gz                  |  3 --
 batik-src-1.17.tar.gz                  |  3 ++
 xmlgraphics-batik-nosourcetarget.patch | 47 --------------------------
 xmlgraphics-batik.changes              | 17 ++++++++++
 xmlgraphics-batik.spec                 | 10 +-----
 6 files changed, 23 insertions(+), 61 deletions(-)
 delete mode 100644 batik-src-1.15.tar.gz
 create mode 100644 batik-src-1.17.tar.gz
 delete mode 100644 xmlgraphics-batik-nosourcetarget.patch

diff --git a/batik-build.tar.xz b/batik-build.tar.xz
index 23958be..7a73559 100644
--- a/batik-build.tar.xz
+++ b/batik-build.tar.xz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:229103e967025713d46c8149da8a86d0f84cc9cd09fc832118ec846ece7fa982
-size 9792
+oid sha256:7ced40cc9700c67da74db56a647c8c5e6fc9498bb0462372c113c387190bd767
+size 10132
diff --git a/batik-src-1.15.tar.gz b/batik-src-1.15.tar.gz
deleted file mode 100644
index aaa9caa..0000000
--- a/batik-src-1.15.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d743d3aaae918ef704e0f30b9b86c65d96dbae06896e882a7b3ea37ad3873054
-size 13495199
diff --git a/batik-src-1.17.tar.gz b/batik-src-1.17.tar.gz
new file mode 100644
index 0000000..730ef62
--- /dev/null
+++ b/batik-src-1.17.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:555a9b1cbfa2cc7cd69b35cb46ad28e8a06befb1d5d2465de56ef3f1ddbbc11e
+size 13578640
diff --git a/xmlgraphics-batik-nosourcetarget.patch b/xmlgraphics-batik-nosourcetarget.patch
deleted file mode 100644
index 0318743..0000000
--- a/xmlgraphics-batik-nosourcetarget.patch
+++ /dev/null
@@ -1,47 +0,0 @@
---- batik-1.15/build.xml	2023-10-25 17:01:52.414466777 +0200
-+++ batik-1.15/build.xml	2023-10-25 17:03:22.921750305 +0200
-@@ -94,8 +94,6 @@
-     <property name="debug"              value="on"/>
-     <property name="optimize"           value="on"/>
-     <property name="deprecation"        value="on"/>
--    <property name="javac.source" value="1.7"/>
--    <property name="javac.target" value="1.7"/>
-     <property name="src"                value="sources"/>
-     <property name="src-internal-codec" value="sources-internal-codec"/>
-     <property name="resources"          value="resources"/>
-@@ -712,7 +710,7 @@
- 
-     <echo message="debug ${debug}, optimize ${optimize}, deprecation ${deprecation}"/>
- 
--    <javac source="${javac.source}" target="${javac.target}" destdir="${dest}"  deprecation="${deprecation}" 
-+    <javac destdir="${dest}"  deprecation="${deprecation}" 
-            debug="${debug}" optimize="${optimize}" encoding="UTF-8">
-       <src path="${testsrc}"/>
-       <src path="batik-test/src/main/java"/>
-@@ -743,7 +741,7 @@
- 
-     <echo message="debug ${debug}, optimize ${optimize}, deprecation ${deprecation}"/>
- 
--    <javac source="${javac.source}" target="${javac.target}" srcdir="${samples}/tests/resources/java/sources" destdir="${samples}/tests/resources/java/classes"  deprecation="${deprecation}" 
-+    <javac srcdir="${samples}/tests/resources/java/sources" destdir="${samples}/tests/resources/java/classes"  deprecation="${deprecation}" 
-            debug="${debug}" optimize="${optimize}" encoding="UTF-8">
-       <classpath>
-         <pathelement location="${dest}"/>
-@@ -753,7 +751,7 @@
-       </classpath>
-     </javac>
- 
--    <javac source="${javac.source}" target="${javac.target}" srcdir="${testresources}" destdir="${testresources}/classes"  deprecation="${deprecation}" 
-+    <javac srcdir="${testresources}" destdir="${testresources}/classes"  deprecation="${deprecation}" 
-            debug="${debug}" optimize="${optimize}" encoding="UTF-8">
-       <classpath>
-         <pathelement location="${dest}"/>
-@@ -999,7 +997,7 @@
-   </target>
- 
-   <target name="compile" depends="init, compile-prepare, compile-copy-resources" unless="compile.done">
--    <javac source="${javac.source}" target="${javac.target}" destdir="${dest}" deprecation="${deprecation}" 
-+    <javac destdir="${dest}" deprecation="${deprecation}" 
-            debug="${debug}" optimize="${optimize}" encoding="UTF-8"
-            includeAntRuntime="true">
-       <src path="batik-anim/src/main/java"/>
diff --git a/xmlgraphics-batik.changes b/xmlgraphics-batik.changes
index d8d4352..1f96515 100644
--- a/xmlgraphics-batik.changes
+++ b/xmlgraphics-batik.changes
@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Fri Mar  1 19:02:03 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 1.17
+  * BATIK-1346: Allow configuration of rhino whitelist
+  * BATIK-1347: Switch to empty whitelist for rhino (CVE-2022-44730)
+  * BATIK-1349: Block loading external resource by default
+    (CVE-2022-44729)
+- Upgrade to version 1.16
+  * Java 8 or later is minimum runtime required
+  * BATIK-1338: Block loading jar inside svg (CVE-2022-41704)
+  * BATIK-1345: Restrict what java classes can be run thru rhino
+    (CVE-2022-42890)
+- Removed patch:
+  * xmlgraphics-batik-nosourcetarget.patch
+    + not needed since Java 8 compatibility is now the default
+
 -------------------------------------------------------------------
 Thu Feb 29 07:18:22 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/xmlgraphics-batik.spec b/xmlgraphics-batik.spec
index 987e150..de8aef4 100644
--- a/xmlgraphics-batik.spec
+++ b/xmlgraphics-batik.spec
@@ -21,7 +21,7 @@
 %define _buildshell /bin/bash
 %global classpath xmlgraphics-batik:rhino:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons
 Name:           xmlgraphics-batik
-Version:        1.15
+Version:        1.17
 Release:        0
 Summary:        Scalable Vector Graphics for Java
 License:        Apache-2.0
@@ -32,7 +32,6 @@ Source1:        batik-build.tar.xz
 Source7:        %{name}.security.policy
 Patch0:         %{name}-nolinksinjavadoc.patch
 Patch1:         0001-Fix-imageio-codec-lookup.patch
-Patch2:         %{name}-nosourcetarget.patch
 BuildRequires:  ant
 BuildRequires:  fdupes
 BuildRequires:  java-devel >= 1.8
@@ -167,19 +166,13 @@ find -name '*.jar' -delete
 
 %patch -P 0 -p1
 %patch -P 1 -p1
-%patch -P 2 -p1
 
 cp -p %{SOURCE7} batik-svgrasterizer/src/main/resources/org/apache/batik/apps/rasterizer/resources/rasterizer.policy
 cp -p %{SOURCE7} batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy
 
-# It's an uberjar, it shouldn't have requires
-%pom_xpath_inject pom:dependency '<optional>true</optional>' batik-all
-
 # eclipse expects xmlgraphics to be optional
 %pom_xpath_inject 'pom:dependency[pom:artifactId="xmlgraphics-commons"]' '<optional>true</optional>' batik-css
 
-%pom_remove_dep :batik-i18n batik-util
-
 for pom in `find -mindepth 2 -name pom.xml -not -path ./batik-all/pom.xml`; do
     %pom_add_plugin org.apache.felix:maven-bundle-plugin $pom "
         <extensions>true</extensions>
@@ -209,7 +202,6 @@ export OPT_JAR_LIST=:
     -f build-batik.xml -Dtest.skip=true \
 	package
 %{ant} \
-    -Dant.build.javac.source=8 -Dant.build.javac.target=8 \
     all-jar jars javadoc
 
 %install