.gitignore

@@ -1 +1,14 @@
-SOURCES/xalan-j2-2.7.2.tar.gz
+/results_*
+/*.src.rpm
+
+/xalan-j2-notarget.patch
+/xalan-j_2_7_0-src-RHsemiCLEAN.tar.gz
+/xalan-j_2_7_1-src.tar.gz
+/serializer-2.7.1.pom
+/xalan-2.7.1.pom
+/xsltc-2.7.1.pom
+/xalan-j2-2.7.1.tar.gz
+/xalan-j2-2.7.2.tar.gz
+/xalan-2.7.2.pom
+/serializer-2.7.2.pom
+/xsltc-2.7.2.pom

.xalan-j2.metadata

@@ -1 +1,4 @@
-678a79a205b08c900722406f030e95fb7fa7f1c8 SOURCES/xalan-j2-2.7.2.tar.gz
+678a79a205b08c900722406f030e95fb7fa7f1c8 xalan-j2-2.7.2.tar.gz
+97d232191877cf441ac5b72d2cb05a3580ba9e7e xalan-2.7.2.pom
+454c86397279a646a38afad68bd8f2f465de7bfe serializer-2.7.2.pom
+e0fcfaac70d12dc0d48f96417fa59199bb6061a0 xsltc-2.7.2.pom

SOURCES/serializer-2.7.2.pom

@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project
-  xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-
-  <modelVersion>4.0.0</modelVersion>
-  <parent>
-    <groupId>org.apache</groupId>
-    <artifactId>apache</artifactId>
-    <version>4</version>
-  </parent>
-
-  <groupId>xalan</groupId>
-  <artifactId>serializer</artifactId>
-  <version>2.7.2</version>
-
-  <name>Xalan Java Serializer</name>
-  <description>
-    Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
-    SAX events.
-  </description>
-  <url>http://xml.apache.org/xalan-j/</url>
-
-  <dependencies>
-    <dependency>
-      <groupId>xml-apis</groupId>
-      <artifactId>xml-apis</artifactId>
-      <version>1.3.04</version>
-    </dependency>
-    <dependency>
-      <groupId>xerces</groupId>
-      <artifactId>xercesImpl</artifactId>
-      <version>2.9.1</version>
-      <optional>true</optional>
-    </dependency>
-  </dependencies>
-
-</project>

SOURCES/xalan-2.7.2.pom

@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project 
-  xmlns="http://maven.apache.org/POM/4.0.0" 
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-
-  <modelVersion>4.0.0</modelVersion>
-  <parent>
-    <groupId>org.apache</groupId>
-    <artifactId>apache</artifactId>
-    <version>4</version>
-  </parent>
-
-  <groupId>xalan</groupId>
-  <artifactId>xalan</artifactId>
-  <version>2.7.2</version>
-
-  <name>Xalan Java</name>
-  <description>
-    Xalan-Java is an XSLT processor for transforming XML documents into HTML,
-    text, or other XML document types. It implements XSL Transformations (XSLT)
-    Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
-    the command line, in an applet or a servlet, or as a module in other program.
-  </description>
-  <url>http://xml.apache.org/xalan-j/</url>  
-
-  <dependencies>
-    <dependency>
-      <groupId>xalan</groupId>
-      <artifactId>serializer</artifactId>
-      <version>2.7.2</version>
-    </dependency>
-    <dependency>
-      <groupId>xerces</groupId>
-      <artifactId>xercesImpl</artifactId>
-      <version>2.9.1</version>
-      <optional>true</optional>
-    </dependency>
-  </dependencies>
-
-</project>

SOURCES/xsltc-2.7.2.pom

@@ -1,13 +0,0 @@
-<project>
-  <modelVersion>4.0.0</modelVersion>
-  <groupId>xalan</groupId>
-  <artifactId>xsltc</artifactId>
-  <version>2.7.2</version>
-  <dependencies>
-    <dependency>
-      <groupId>xalan</groupId>
-      <artifactId>xalan</artifactId>
-      <version>2.7.2</version>
-    </dependency>
-  </dependencies>
-</project>

gating.yaml

@@ -0,0 +1,8 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_contexts:
+  - osci_compose_gate
+rules:
+  # https://docs.engineering.redhat.com/display/RHELPLAN/Maven+Bootstrap+manual+gating+test
+  - !PassingTestCaseRule {test_case_name: manual.sst_cs_apps.maven.bootstrap}

sources

@@ -0,0 +1,4 @@
+SHA512 (xalan-j2-2.7.2.tar.gz) = d30cc8179eb98704f8bbab80b6462565b177bc9cee99be042f0cad0d34924446574ae849f735fcc0cbbbcd81963c1b1bc0f76d8f981109ae168b21cb057c0eef
+SHA512 (xalan-2.7.2.pom) = 4b95e3eb3a2ab262c9a27040a5214cfb8c49c36ece8e71a933074eb063205ef96deff351f017b034c9c97d43d77b020482aade7bc01e1245d8ee10a51269c5ce
+SHA512 (serializer-2.7.2.pom) = 1a20cd7008ab876f9605a67515d558b26b9be009c4f49cb27ddf5aa715b5d164c476c236b6d6edf39e81538dfb1516271c3859af8e73f8cdbeee24efb45e9a44
+SHA512 (xsltc-2.7.2.pom) = 89c5c2cd358c32a9b8073869abdcb1df21a95c21a1a099c1b91f25ac3de7fdf9893977cb227efa4dad1de29773aaaef155155d1ec8648aae3c2e512154c200ef

xalan-j2-CVE-2014-0107.patch

@@ -0,0 +1,148 @@
+diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+index 1298943..96a5e58 100644
+--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory
+           reader = XMLReaderFactory.createXMLReader();
+         }
+ 
++        if(m_isSecureProcessing)
++        {
++            reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
++        }
+         // Need to set options!
+         reader.setContentHandler(handler);
+         reader.parse(isource);
+diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+index b946743..17b7395 100644
+--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement
+       }
+       else
+       {
+-        // Can we switch the order here:
+-
+-        boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+-                             attributes.getQName(i), attributes.getValue(i),
+-                             target);
+-                             
+-        // Now we only add the element if it passed a validation check
+-        if (success)
+-            processedDefs.add(attrDef);
+-        else
+-            errorDefs.add(attrDef);
++        //handle secure processing
++        if(handler.getStylesheetProcessor()==null)
++            System.out.println("stylesheet processor null");
++        if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
++        {
++            //foreign attributes are not allowed in secure processing mode
++            // Then barf, because this element does not allow this attribute.
++            handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
++            //+ " attribute is not allowed on the " + rawName
++            // + " element!", null);
++        }
++        else
++        {
++
++
++            boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
++                                 attributes.getQName(i), attributes.getValue(i),
++                                 target);
++
++            // Now we only add the element if it passed a validation check
++            if (success)
++                processedDefs.add(attrDef);
++            else
++                errorDefs.add(attrDef);
++        }
+       }
+     }
+ 
+diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java
+index dd0d4d9..0906d24 100644
+--- a/src/org/apache/xalan/transformer/TransformerImpl.java
++++ b/src/org/apache/xalan/transformer/TransformerImpl.java
+@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer
+     try
+     {
+       if (sroot.getExtensions() != null)
+-        m_extensionsTable = new ExtensionsTable(sroot);
++        //only load extensions if secureProcessing is disabled
++        if(!sroot.isSecureProcessing())
++            m_extensionsTable = new ExtensionsTable(sroot);
+     }
+     catch (javax.xml.transform.TransformerException te)
+     {te.printStackTrace();}
+diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java
+index 4bea356..78ac980 100644
+--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
+@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg
+ 
+     String fullName = m_arg0.execute(xctxt).str();
+     int indexOfNSSep = fullName.indexOf(':');
+-    String result;
++    String result = null;
+     String propName = "";
+ 
+     // List of properties where the name of the
+@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg
+ 
+         try
+         {
+-          result = System.getProperty(propName);
+-
+-          if (null == result)
+-          {
+-
+-            // result = System.getenv(propName);
+-            return XString.EMPTYSTRING;
+-          }
++            //if secure procession is enabled only handle required properties do not not map any valid system property
++            if(!xctxt.isSecureProcessing())
++            {
++                result = System.getProperty(propName);
++            }
++            else
++            {
++                warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++                        new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
++            }
++            if (null == result)
++            {
++                return XString.EMPTYSTRING;
++            }
+         }
+         catch (SecurityException se)
+         {
+@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg
+     {
+       try
+       {
+-        result = System.getProperty(fullName);
+-
+-        if (null == result)
+-        {
+-
+-          // result = System.getenv(fullName);
+-          return XString.EMPTYSTRING;
+-        }
++          //if secure procession is enabled only handle required properties do not not map any valid system property
++          if(!xctxt.isSecureProcessing())
++          {
++              result = System.getProperty(fullName);
++          }
++          else
++          {
++              warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++                      new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
++          }
++          if (null == result)
++          {
++              return XString.EMPTYSTRING;
++          }
+       }
+       catch (SecurityException se)
+       {

xalan-j2.spec

@@ -2,7 +2,7 @@
 
 Name:           xalan-j2
 Version:        2.7.2
-Release:        2%{?dist}
+Release:        10%{?dist}
 Summary:        Java XSLT processor
 # src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C
 License:        ASL 2.0 and W3C
@@ -138,15 +138,52 @@ mv %{_javadir}/jaxp_transform_impl.jar{.tmp,} || :
 %doc build/docs/*
 
 %changelog
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.7.2-10
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Mon Jun 28 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.2-9
+- Build with OpenJDK 11
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0:2.7.2-8
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0:2.7.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0:2.7.2-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 0:2.7.2-5
+- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
+
+* Mon Jun 29 2020 Mat Booth <mat.booth@redhat.com> - 0:2.7.2-4
+- Peg to Java 8 due to build issues on Java 11
+
+* Fri Jun 19 2020 Mat Booth <mat.booth@redhat.com> - 0:2.7.2-3
+- Allow building against Java 11
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0:2.7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
 * Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.2-2
 - Mass rebuild for javapackages-tools 201902
 
+* Wed Oct 16 2019 Fabio Valentini <decathorpe@gmail.com> - 0:2.7.2-1
+- Update to version 2.7.2.
+
 * Wed Jul 31 2019 Marian Koncek <mkoncek@redhat.com> - 2.7.2-1
 - Update to upstream version 2.7.2
 
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0:2.7.1-40
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
 * Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.1-39
 - Mass rebuild for javapackages-tools 201901
 
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0:2.7.1-39
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
 * Tue Aug 07 2018 Michael Simacek <msimacek@redhat.com> - 0:2.7.1-38
 - Update license of subpackages