From 27a0ec34dd2cd8d93023c97a331aeab6da0a029a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C3=A9cureuil?= <neoclust@mageia.org>
Date: Thu, 22 Jul 2021 15:53:01 +0200
Subject: [PATCH] Add patch to fix CVE-2021-33813

---
 CVE-2021-33813.patch | 42 ++++++++++++++++++++++++++++++++++++++++++
 jdom.spec            | 11 ++++++++++-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-33813.patch

diff --git a/CVE-2021-33813.patch b/CVE-2021-33813.patch
new file mode 100644
index 0000000..f850266
--- /dev/null
+++ b/CVE-2021-33813.patch
@@ -0,0 +1,42 @@
+--- libjdom1-java-1.1.3.orig/src/java/org/jdom/input/SAXBuilder.java
++++ libjdom1-java-1.1.3/src/java/org/jdom/input/SAXBuilder.java
+@@ -442,6 +442,11 @@ public class SAXBuilder {
+     public void setFeature(String name, boolean value) {
+         // Save the specified feature for later.
+         features.put(name, value ? Boolean.TRUE : Boolean.FALSE);
++        if (name.equals("http://xml.org/sax/features/external-general-entities")) {
++            // See issue https://github.com/hunterhacker/jdom/issues/189
++            // And PR https://github.com/hunterhacker/jdom/pull/188
++            setExpandEntities(value);
++        }
+     }
+ 
+     /**
+@@ -766,13 +771,6 @@ public class SAXBuilder {
+             internalSetFeature(parser, name, value.booleanValue(), name);
+         }
+ 
+-        // Set any user-specified properties on the parser.
+-        iter = properties.keySet().iterator();
+-        while (iter.hasNext()) {
+-            String name = (String)iter.next();
+-            internalSetProperty(parser, name, properties.get(name), name);
+-        }
+-
+         if (coreFeatures) {
+             // Set validation.
+             try {
+@@ -810,6 +808,13 @@ public class SAXBuilder {
+         }
+         catch (SAXNotRecognizedException e) { /* Ignore... */ }
+         catch (SAXNotSupportedException  e) { /* Ignore... */ }
++
++        // Set any user-specified properties on the parser.
++        iter = properties.keySet().iterator();
++        while (iter.hasNext()) {
++            String name = (String)iter.next();
++            internalSetProperty(parser, name, properties.get(name), name);
++        }
+     }
+ 
+     /**
diff --git a/jdom.spec b/jdom.spec
index 8562205..4690234 100644
--- a/jdom.spec
+++ b/jdom.spec
@@ -32,7 +32,7 @@
 
 Name:           jdom
 Version:        1.1.3
-Release:        26%{?dist}
+Release:        27%{?dist}
 Summary:        Java alternative to DOM and SAX
 License:        Saxpath
 URL:            http://www.jdom.org/
@@ -41,6 +41,12 @@ Source1:        http://repo1.maven.org/maven2/org/jdom/jdom/%{version}/jdom-%{ve
 Patch0:         %{name}-crosslink.patch
 Patch1:         %{name}-1.1-OSGiManifest.patch
 
+#
+# Security patches
+# P100 -> ...
+#
+Patch100:	CVE-2021-33813.patch
+
 BuildRequires:  javapackages-local
 %if %{with bootstrap}
 BuildRequires:  javapackages-bootstrap
@@ -105,6 +111,9 @@ cp -pr samples $RPM_BUILD_ROOT%{_datadir}/%{name}
 %license LICENSE.txt
 
 %changelog
+* Thu Jul 22 2021 Nicolas Lécureuil <neoclust@mageia.org> - 1.1.3-27
+- Add P100: Fixes CVE-2021-33813
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.3-26
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild