From 04cbeb11f3d89eb89e2d96163bdc2aae4090a95fdb654ad179c38183862f971b Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Thu, 29 Feb 2024 07:12:57 +0000
Subject: [PATCH 1/6] OBS-URL:
 https://build.opensuse.org/package/show/Java:packages/xmlgraphics-batik?expand=0&rev=62

---
 xmlgraphics-batik.spec | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/xmlgraphics-batik.spec b/xmlgraphics-batik.spec
index 7bf3cf0..c69c7ce 100644
--- a/xmlgraphics-batik.spec
+++ b/xmlgraphics-batik.spec
@@ -17,6 +17,7 @@
 #
 
 
+%{!?mvn_install_pom:%global mvn_install_pom install -pm 0644}
 %define _buildshell /bin/bash
 %global classpath xmlgraphics-batik:rhino:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons
 Name:           xmlgraphics-batik
@@ -35,14 +36,14 @@ Patch2:         %{name}-nosourcetarget.patch
 BuildRequires:  ant
 BuildRequires:  fdupes
 BuildRequires:  java-devel >= 1.8
-BuildRequires:  javapackages-local >= 6
+BuildRequires:  javapackages-local
 BuildRequires:  rhino >= 1.6
 BuildRequires:  xml-commons-apis >= 1.3.03
 BuildRequires:  xmlgraphics-commons
 Requires:       %{name}-css = %{version}-%{release}
-Requires:       mvn(org.apache.xmlgraphics:xmlgraphics-commons)
-Requires:       mvn(xml-apis:xml-apis)
-Requires:       mvn(xml-apis:xml-apis-ext)
+Requires:       rhino
+Requires:       xml-commons-apis
+Requires:       xmlgraphics-commons
 Obsoletes:      batik < %{version}-%{release}
 Provides:       batik = %{version}-%{release}
 BuildArch:      noarch

From ae0b0fcad6d16f3400b8c28909d5b54de1e97e47fbefe9445e88c26f5f2b2e1d Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Thu, 29 Feb 2024 07:21:10 +0000
Subject: [PATCH 2/6] OBS-URL:
 https://build.opensuse.org/package/show/Java:packages/xmlgraphics-batik?expand=0&rev=63

---
 xmlgraphics-batik.changes | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/xmlgraphics-batik.changes b/xmlgraphics-batik.changes
index d493e78..76dbbad 100644
--- a/xmlgraphics-batik.changes
+++ b/xmlgraphics-batik.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Feb 29 07:18:22 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Allow building with this spec-file on systems that don't have the
+  mvn_install_pom macros defined and release version requirement
+  of javapackages-local
+- Require the xmlgraphics-commons, xml-commons-apis a rhino by their
+  names, since they are on the classpath by their location in the
+  scripts
+
 -------------------------------------------------------------------
 Wed Feb 21 10:55:53 UTC 2024 - Gus Kenion <gus.kenion@suse.com>
 

From 255126fa9b464d5b2bfab01ce18fd79d9cc3cbdd4b3a4f3238552cb9ba0593a0 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Thu, 29 Feb 2024 13:14:17 +0000
Subject: [PATCH 3/6] OBS-URL:
 https://build.opensuse.org/package/show/Java:packages/xmlgraphics-batik?expand=0&rev=64

---
 xmlgraphics-batik.changes |  5 ++++-
 xmlgraphics-batik.spec    | 23 ++++++++++++++++++++---
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/xmlgraphics-batik.changes b/xmlgraphics-batik.changes
index 76dbbad..d8d4352 100644
--- a/xmlgraphics-batik.changes
+++ b/xmlgraphics-batik.changes
@@ -6,7 +6,10 @@ Thu Feb 29 07:18:22 UTC 2024 - Fridrich Strba <fstrba@suse.com>
   of javapackages-local
 - Require the xmlgraphics-commons, xml-commons-apis a rhino by their
   names, since they are on the classpath by their location in the
-  scripts
+  scripts. Require them in the subpackages that contain the scripts.
+- Require javapackages-tools in subpackages that contain scripts
+  created by jpackage_script macro. The scripts need functions from
+  javapackages tools
 
 -------------------------------------------------------------------
 Wed Feb 21 10:55:53 UTC 2024 - Gus Kenion <gus.kenion@suse.com>
diff --git a/xmlgraphics-batik.spec b/xmlgraphics-batik.spec
index c69c7ce..987e150 100644
--- a/xmlgraphics-batik.spec
+++ b/xmlgraphics-batik.spec
@@ -41,9 +41,6 @@ BuildRequires:  rhino >= 1.6
 BuildRequires:  xml-commons-apis >= 1.3.03
 BuildRequires:  xmlgraphics-commons
 Requires:       %{name}-css = %{version}-%{release}
-Requires:       rhino
-Requires:       xml-commons-apis
-Requires:       xmlgraphics-commons
 Obsoletes:      batik < %{version}-%{release}
 Provides:       batik = %{version}-%{release}
 BuildArch:      noarch
@@ -67,6 +64,10 @@ CSS component of the Apache Batik SVG manipulation and rendering library.
 Summary:        Batik SVG browser
 Group:          Productivity/Graphics/Vector Editors
 Requires:       %{name} = %{version}-%{release}
+Requires:       javapackages-tools
+Requires:       rhino
+Requires:       xml-commons-apis
+Requires:       xmlgraphics-commons
 Obsoletes:      batik-squiggle < %{version}-%{release}
 Provides:       batik-squiggle = %{version}-%{release}
 
@@ -78,6 +79,10 @@ in the content and select text items in the image and much more.
 Summary:        Batik SVG pretty printer
 Group:          Productivity/Graphics/Vector Editors
 Requires:       %{name} = %{version}-%{release}
+Requires:       javapackages-tools
+Requires:       rhino
+Requires:       xml-commons-apis
+Requires:       xmlgraphics-commons
 Obsoletes:      batik-svgpp < %{version}-%{release}
 Provides:       batik-svgpp = %{version}-%{release}
 
@@ -90,6 +95,10 @@ also be used to modify the DOCTYPE declaration on SVG files.
 Summary:        Batik SVG font converter
 Group:          Productivity/Graphics/Vector Editors
 Requires:       %{name} = %{version}-%{release}
+Requires:       javapackages-tools
+Requires:       rhino
+Requires:       xml-commons-apis
+Requires:       xmlgraphics-commons
 Obsoletes:      batik-ttf2svg < %{version}-%{release}
 Provides:       batik-ttf2svg = %{version}-%{release}
 
@@ -103,6 +112,10 @@ rendered exactly the same on all systems.
 Summary:        Batik SVG rasterizer
 Group:          Productivity/Graphics/Vector Editors
 Requires:       %{name} = %{version}-%{release}
+Requires:       javapackages-tools
+Requires:       rhino
+Requires:       xml-commons-apis
+Requires:       xmlgraphics-commons
 Obsoletes:      batik-rasterizer < %{version}-%{release}
 Provides:       batik-rasterizer = %{version}-%{release}
 
@@ -117,6 +130,10 @@ to be added easily.
 Summary:        Batik SVG slideshow
 Group:          Productivity/Graphics/Vector Editors
 Requires:       %{name} = %{version}-%{release}
+Requires:       javapackages-tools
+Requires:       rhino
+Requires:       xml-commons-apis
+Requires:       xmlgraphics-commons
 Obsoletes:      batik-slideshow < %{version}-%{release}
 Provides:       batik-slideshow = %{version}-%{release}
 

From 20f095e59bbcf1b03eae03c34374e3303d25e894699f9b4941e5dd4e1dd0a066 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Fri, 1 Mar 2024 19:45:49 +0000
Subject: [PATCH 4/6] OBS-URL:
 https://build.opensuse.org/package/show/Java:packages/xmlgraphics-batik?expand=0&rev=65

---
 batik-build.tar.xz                     |  4 +--
 batik-src-1.15.tar.gz                  |  3 --
 batik-src-1.17.tar.gz                  |  3 ++
 xmlgraphics-batik-nosourcetarget.patch | 47 --------------------------
 xmlgraphics-batik.changes              | 17 ++++++++++
 xmlgraphics-batik.spec                 | 10 +-----
 6 files changed, 23 insertions(+), 61 deletions(-)
 delete mode 100644 batik-src-1.15.tar.gz
 create mode 100644 batik-src-1.17.tar.gz
 delete mode 100644 xmlgraphics-batik-nosourcetarget.patch

diff --git a/batik-build.tar.xz b/batik-build.tar.xz
index 23958be..7a73559 100644
--- a/batik-build.tar.xz
+++ b/batik-build.tar.xz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:229103e967025713d46c8149da8a86d0f84cc9cd09fc832118ec846ece7fa982
-size 9792
+oid sha256:7ced40cc9700c67da74db56a647c8c5e6fc9498bb0462372c113c387190bd767
+size 10132
diff --git a/batik-src-1.15.tar.gz b/batik-src-1.15.tar.gz
deleted file mode 100644
index aaa9caa..0000000
--- a/batik-src-1.15.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d743d3aaae918ef704e0f30b9b86c65d96dbae06896e882a7b3ea37ad3873054
-size 13495199
diff --git a/batik-src-1.17.tar.gz b/batik-src-1.17.tar.gz
new file mode 100644
index 0000000..730ef62
--- /dev/null
+++ b/batik-src-1.17.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:555a9b1cbfa2cc7cd69b35cb46ad28e8a06befb1d5d2465de56ef3f1ddbbc11e
+size 13578640
diff --git a/xmlgraphics-batik-nosourcetarget.patch b/xmlgraphics-batik-nosourcetarget.patch
deleted file mode 100644
index 0318743..0000000
--- a/xmlgraphics-batik-nosourcetarget.patch
+++ /dev/null
@@ -1,47 +0,0 @@
---- batik-1.15/build.xml	2023-10-25 17:01:52.414466777 +0200
-+++ batik-1.15/build.xml	2023-10-25 17:03:22.921750305 +0200
-@@ -94,8 +94,6 @@
-     <property name="debug"              value="on"/>
-     <property name="optimize"           value="on"/>
-     <property name="deprecation"        value="on"/>
--    <property name="javac.source" value="1.7"/>
--    <property name="javac.target" value="1.7"/>
-     <property name="src"                value="sources"/>
-     <property name="src-internal-codec" value="sources-internal-codec"/>
-     <property name="resources"          value="resources"/>
-@@ -712,7 +710,7 @@
- 
-     <echo message="debug ${debug}, optimize ${optimize}, deprecation ${deprecation}"/>
- 
--    <javac source="${javac.source}" target="${javac.target}" destdir="${dest}"  deprecation="${deprecation}" 
-+    <javac destdir="${dest}"  deprecation="${deprecation}" 
-            debug="${debug}" optimize="${optimize}" encoding="UTF-8">
-       <src path="${testsrc}"/>
-       <src path="batik-test/src/main/java"/>
-@@ -743,7 +741,7 @@
- 
-     <echo message="debug ${debug}, optimize ${optimize}, deprecation ${deprecation}"/>
- 
--    <javac source="${javac.source}" target="${javac.target}" srcdir="${samples}/tests/resources/java/sources" destdir="${samples}/tests/resources/java/classes"  deprecation="${deprecation}" 
-+    <javac srcdir="${samples}/tests/resources/java/sources" destdir="${samples}/tests/resources/java/classes"  deprecation="${deprecation}" 
-            debug="${debug}" optimize="${optimize}" encoding="UTF-8">
-       <classpath>
-         <pathelement location="${dest}"/>
-@@ -753,7 +751,7 @@
-       </classpath>
-     </javac>
- 
--    <javac source="${javac.source}" target="${javac.target}" srcdir="${testresources}" destdir="${testresources}/classes"  deprecation="${deprecation}" 
-+    <javac srcdir="${testresources}" destdir="${testresources}/classes"  deprecation="${deprecation}" 
-            debug="${debug}" optimize="${optimize}" encoding="UTF-8">
-       <classpath>
-         <pathelement location="${dest}"/>
-@@ -999,7 +997,7 @@
-   </target>
- 
-   <target name="compile" depends="init, compile-prepare, compile-copy-resources" unless="compile.done">
--    <javac source="${javac.source}" target="${javac.target}" destdir="${dest}" deprecation="${deprecation}" 
-+    <javac destdir="${dest}" deprecation="${deprecation}" 
-            debug="${debug}" optimize="${optimize}" encoding="UTF-8"
-            includeAntRuntime="true">
-       <src path="batik-anim/src/main/java"/>
diff --git a/xmlgraphics-batik.changes b/xmlgraphics-batik.changes
index d8d4352..1f96515 100644
--- a/xmlgraphics-batik.changes
+++ b/xmlgraphics-batik.changes
@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Fri Mar  1 19:02:03 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 1.17
+  * BATIK-1346: Allow configuration of rhino whitelist
+  * BATIK-1347: Switch to empty whitelist for rhino (CVE-2022-44730)
+  * BATIK-1349: Block loading external resource by default
+    (CVE-2022-44729)
+- Upgrade to version 1.16
+  * Java 8 or later is minimum runtime required
+  * BATIK-1338: Block loading jar inside svg (CVE-2022-41704)
+  * BATIK-1345: Restrict what java classes can be run thru rhino
+    (CVE-2022-42890)
+- Removed patch:
+  * xmlgraphics-batik-nosourcetarget.patch
+    + not needed since Java 8 compatibility is now the default
+
 -------------------------------------------------------------------
 Thu Feb 29 07:18:22 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/xmlgraphics-batik.spec b/xmlgraphics-batik.spec
index 987e150..de8aef4 100644
--- a/xmlgraphics-batik.spec
+++ b/xmlgraphics-batik.spec
@@ -21,7 +21,7 @@
 %define _buildshell /bin/bash
 %global classpath xmlgraphics-batik:rhino:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons
 Name:           xmlgraphics-batik
-Version:        1.15
+Version:        1.17
 Release:        0
 Summary:        Scalable Vector Graphics for Java
 License:        Apache-2.0
@@ -32,7 +32,6 @@ Source1:        batik-build.tar.xz
 Source7:        %{name}.security.policy
 Patch0:         %{name}-nolinksinjavadoc.patch
 Patch1:         0001-Fix-imageio-codec-lookup.patch
-Patch2:         %{name}-nosourcetarget.patch
 BuildRequires:  ant
 BuildRequires:  fdupes
 BuildRequires:  java-devel >= 1.8
@@ -167,19 +166,13 @@ find -name '*.jar' -delete
 
 %patch -P 0 -p1
 %patch -P 1 -p1
-%patch -P 2 -p1
 
 cp -p %{SOURCE7} batik-svgrasterizer/src/main/resources/org/apache/batik/apps/rasterizer/resources/rasterizer.policy
 cp -p %{SOURCE7} batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy
 
-# It's an uberjar, it shouldn't have requires
-%pom_xpath_inject pom:dependency '<optional>true</optional>' batik-all
-
 # eclipse expects xmlgraphics to be optional
 %pom_xpath_inject 'pom:dependency[pom:artifactId="xmlgraphics-commons"]' '<optional>true</optional>' batik-css
 
-%pom_remove_dep :batik-i18n batik-util
-
 for pom in `find -mindepth 2 -name pom.xml -not -path ./batik-all/pom.xml`; do
     %pom_add_plugin org.apache.felix:maven-bundle-plugin $pom "
         <extensions>true</extensions>
@@ -209,7 +202,6 @@ export OPT_JAR_LIST=:
     -f build-batik.xml -Dtest.skip=true \
 	package
 %{ant} \
-    -Dant.build.javac.source=8 -Dant.build.javac.target=8 \
     all-jar jars javadoc
 
 %install

From 8cf5b19a65df526de0f78e862bb6bbd06ed293621348daa60fc74062f8d09116 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Fri, 1 Mar 2024 19:46:57 +0000
Subject: [PATCH 5/6] OBS-URL:
 https://build.opensuse.org/package/show/Java:packages/xmlgraphics-batik?expand=0&rev=66

---
 xmlgraphics-batik.changes | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xmlgraphics-batik.changes b/xmlgraphics-batik.changes
index 1f96515..008a6b5 100644
--- a/xmlgraphics-batik.changes
+++ b/xmlgraphics-batik.changes
@@ -26,7 +26,7 @@ Thu Feb 29 07:18:22 UTC 2024 - Fridrich Strba <fstrba@suse.com>
   scripts. Require them in the subpackages that contain the scripts.
 - Require javapackages-tools in subpackages that contain scripts
   created by jpackage_script macro. The scripts need functions from
-  javapackages tools
+  javapackages-tools
 
 -------------------------------------------------------------------
 Wed Feb 21 10:55:53 UTC 2024 - Gus Kenion <gus.kenion@suse.com>

From f15788ee2781864cc9d7d1f83d7ba7f476cc50e3fea6963fc1f768d897cfe302 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Fri, 1 Mar 2024 19:58:58 +0000
Subject: [PATCH 6/6] OBS-URL:
 https://build.opensuse.org/package/show/Java:packages/xmlgraphics-batik?expand=0&rev=67

---
 xmlgraphics-batik.changes | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/xmlgraphics-batik.changes b/xmlgraphics-batik.changes
index 008a6b5..21ac244 100644
--- a/xmlgraphics-batik.changes
+++ b/xmlgraphics-batik.changes
@@ -8,9 +8,10 @@ Fri Mar  1 19:02:03 UTC 2024 - Fridrich Strba <fstrba@suse.com>
     (CVE-2022-44729)
 - Upgrade to version 1.16
   * Java 8 or later is minimum runtime required
-  * BATIK-1338: Block loading jar inside svg (CVE-2022-41704)
+  * BATIK-1338: Block loading jar inside svg (CVE-2022-41704,
+    bsc#1204704)
   * BATIK-1345: Restrict what java classes can be run thru rhino
-    (CVE-2022-42890)
+    (CVE-2022-42890, bsc#1204709)
 - Removed patch:
   * xmlgraphics-batik-nosourcetarget.patch
     + not needed since Java 8 compatibility is now the default