Add patch to fix CVE-2021-33813

2021-07-22 15:53:01 +02:00 · 2021-07-22 15:53:01 +02:00 · 27a0ec34dd
commit 27a0ec34dd
parent cbbd304bf6
2 changed files with 52 additions and 1 deletions
--- a/CVE-2021-33813.patch
+++ b/CVE-2021-33813.patch
@ -0,0 +1,42 @@
+--- libjdom1-java-1.1.3.orig/src/java/org/jdom/input/SAXBuilder.java
+++ libjdom1-java-1.1.3/src/java/org/jdom/input/SAXBuilder.java
+@@ -442,6 +442,11 @@ public class SAXBuilder {
+     public void setFeature(String name, boolean value) {
+         // Save the specified feature for later.
+         features.put(name, value ? Boolean.TRUE : Boolean.FALSE);
+        if (name.equals("http://xml.org/sax/features/external-general-entities")) {
+            // See issue https://github.com/hunterhacker/jdom/issues/189
+            // And PR https://github.com/hunterhacker/jdom/pull/188
+            setExpandEntities(value);
+        }
+     }
+ 
+     /**
+@@ -766,13 +771,6 @@ public class SAXBuilder {
+             internalSetFeature(parser, name, value.booleanValue(), name);
+         }
+ 
+-        // Set any user-specified properties on the parser.
+-        iter = properties.keySet().iterator();
+-        while (iter.hasNext()) {
+-            String name = (String)iter.next();
+-            internalSetProperty(parser, name, properties.get(name), name);
+-        }
+-
+         if (coreFeatures) {
+             // Set validation.
+             try {
+@@ -810,6 +808,13 @@ public class SAXBuilder {
+         }
+         catch (SAXNotRecognizedException e) { /* Ignore... */ }
+         catch (SAXNotSupportedException  e) { /* Ignore... */ }
+
+        // Set any user-specified properties on the parser.
+        iter = properties.keySet().iterator();
+        while (iter.hasNext()) {
+            String name = (String)iter.next();
+            internalSetProperty(parser, name, properties.get(name), name);
+        }
+     }
+ 
+     /**
--- a/jdom.spec
+++ b/jdom.spec
@ -32,7 +32,7 @@

 Name:           jdom
 Version:        1.1.3
-Release:        26%{?dist}
+Release:        27%{?dist}
 Summary:        Java alternative to DOM and SAX
 License:        Saxpath
 URL:            http://www.jdom.org/
@ -41,6 +41,12 @@ Source1:        http://repo1.maven.org/maven2/org/jdom/jdom/%{version}/jdom-%{ve
 Patch0:         %{name}-crosslink.patch
 Patch1:         %{name}-1.1-OSGiManifest.patch

+#
+# Security patches
+# P100 -> ...
+#
+Patch100:	CVE-2021-33813.patch
+
 BuildRequires:  javapackages-local
 %if %{with bootstrap}
 BuildRequires:  javapackages-bootstrap
@ -105,6 +111,9 @@ cp -pr samples $RPM_BUILD_ROOT%{_datadir}/%{name}
 %license LICENSE.txt

 %changelog
+* Thu Jul 22 2021 Nicolas Lécureuil <neoclust@mageia.org> - 1.1.3-27
+- Add P100: Fixes CVE-2021-33813
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.3-26
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild