- add security fix for CVE-2009-3560 (#533174)

- add security fix for CVE-2009-3720 (#531697)
- run the test suite

expat-1.95.8-CVE-2009-3560.patch

@@ -0,0 +1,13 @@
+
+http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
+
+--- expat-1.95.8/lib/xmlparse.c.cve3560
++++ expat-1.95.8/lib/xmlparse.c
+@@ -3637,7 +3637,6 @@ doProlog(XML_Parser parser,
+         return XML_ERROR_NO_ELEMENTS;
+       default:
+         tok = -tok;
+-        next = end;
+         break;
+       }
+     }

expat-1.95.8-CVE-2009-3720.patch

@@ -0,0 +1,11 @@
+--- expat-1.95.8/lib/xmltok_impl.c.cve3720
++++ expat-1.95.8/lib/xmltok_impl.c
+@@ -1741,7 +1741,7 @@ PREFIX(updatePosition)(const ENCODING *e
+                        const char *end,
+                        POSITION *pos)
+ {
+-  while (ptr != end) {
++  while (ptr < end) {
+     switch (BYTE_TYPE(enc, ptr)) {
+ #define LEAD_CASE(n) \
+     case BT_LEAD ## n: \

expat-2.0.1-confcxx.patch

@@ -0,0 +1,13 @@
+
+Configure for C++ too so the testsuite works.
+
+--- expat-2.0.1/configure.in.confcxx
++++ expat-2.0.1/configure.in
+@@ -62,6 +62,7 @@ AC_SUBST(LIBAGE)
+ 
+ dnl Checks for programs.
+ AC_PROG_CC
++AC_PROG_CXX
+ AC_PROG_INSTALL
+ 
+ if test "$GCC" = yes ; then

expat.spec

@@ -1,13 +1,16 @@
 Summary: An XML parser library
 Name: expat
 Version: 2.0.1
-Release: 7
+Release: 8%{?dist}
 Group: System Environment/Libraries
 Source: http://download.sourceforge.net/expat/expat-%{version}.tar.gz
+Patch1: expat-2.0.1-confcxx.patch
+Patch2: expat-1.95.8-CVE-2009-3560.patch
+Patch3: expat-1.95.8-CVE-2009-3720.patch
 URL: http://www.libexpat.org/
 License: MIT
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: autoconf, automake, libtool
+BuildRequires: autoconf, automake, libtool, check-devel
 
 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -28,10 +31,13 @@ to develop XML applications with expat.
 
 %prep
 %setup -q
+%patch1 -p1 -b .confcxx
+%patch2 -p1 -b .cve3560
+%patch3 -p1 -b .cve3720
 
 %build
 rm -rf autom4te*.cache
-cp `aclocal --print-ac-dir`/libtool.m4 conftools || exit 1
+rm conftools/libtool.m4
 libtoolize --copy --force --automake && aclocal && autoheader && autoconf
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
 %configure --libdir=/%{_lib}
@@ -53,6 +59,9 @@ rm -f $RPM_BUILD_ROOT/%{_lib}/libexpat.la
 lib=`echo $RPM_BUILD_ROOT/%{_lib}/libexpat.so.*.*`
 ln -sf ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/libexpat.so
 
+%check
+make check
+
 %clean
 rm -rf ${RPM_BUILD_ROOT}
 
@@ -74,6 +83,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_includedir}/*.h
 
 %changelog
+* Tue Dec  1 2009 Joe Orton <jorton@redhat.com> - 2.0.1-8
+- add security fix for CVE-2009-3560 (#533174)
+- add security fix for CVE-2009-3720 (#531697)
+- run the test suite
+
 * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.1-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild