diff --git a/.gitignore b/.gitignore index 466352a..36e1cf7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ -Xerces-J-src.2.9.0.tar.gz /Xerces-J-src.2.11.0.tar.gz +/xerces-2_11_0/ +/.project +/.build-*.log +/noarch/ +/*.src.rpm diff --git a/xerces-j2-CVE-2013-4002.patch b/xerces-j2-CVE-2013-4002.patch new file mode 100644 index 0000000..a2f5516 --- /dev/null +++ b/xerces-j2-CVE-2013-4002.patch @@ -0,0 +1,47 @@ +--- src/org/apache/xerces/impl/XMLScanner.java 2013/07/03 18:25:06 1499505 ++++ src/org/apache/xerces/impl/XMLScanner.java 2013/07/03 18:29:43 1499506 +@@ -542,7 +542,7 @@ + // document is until we scan the encoding declaration + // you cannot reliably read any characters outside + // of the ASCII range here. -- mrglavas +- String name = fEntityScanner.scanName(); ++ String name = scanPseudoAttributeName(); + XMLEntityManager.print(fEntityManager.getCurrentEntity()); + if (name == null) { + reportFatalError("PseudoAttrNameExpected", null); +@@ -599,6 +599,35 @@ + } // scanPseudoAttribute(XMLString):String + + /** ++ * Scans the name of a pseudo attribute. The only legal names ++ * in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'. ++ * ++ * @return the name of the pseudo attribute or null ++ * if a legal pseudo attribute name could not be scanned. ++ */ ++ private String scanPseudoAttributeName() throws IOException, XNIException { ++ final int ch = fEntityScanner.peekChar(); ++ switch (ch) { ++ case 'v': ++ if (fEntityScanner.skipString(fVersionSymbol)) { ++ return fVersionSymbol; ++ } ++ break; ++ case 'e': ++ if (fEntityScanner.skipString(fEncodingSymbol)) { ++ return fEncodingSymbol; ++ } ++ break; ++ case 's': ++ if (fEntityScanner.skipString(fStandaloneSymbol)) { ++ return fStandaloneSymbol; ++ } ++ break; ++ } ++ return null; ++ } // scanPseudoAttributeName() ++ ++ /** + * Scans a processing instruction. + *

+ * 

diff --git a/xerces-j2.spec b/xerces-j2.spec
index 15b22ec..03d4863 100644
--- a/xerces-j2.spec
+++ b/xerces-j2.spec
@@ -4,7 +4,7 @@
 
 Name:          xerces-j2
 Version:       2.11.0
-Release:       21%{?dist}
+Release:       22%{?dist}
 Summary:       Java XML parser
 Group:         Development/Libraries
 License:       ASL 2.0
@@ -31,6 +31,10 @@ Patch0:        %{name}-build.patch
 # Patch the manifest so that it includes OSGi stuff
 Patch1:        %{name}-manifest.patch
 
+# Backported fix from upstream http://svn.apache.org/viewvc?view=revision&revision=1499506
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1140031
+Patch2:        xerces-j2-CVE-2013-4002.patch
+
 BuildArch:     noarch
 
 BuildRequires: java-devel >= 1:1.6.0
@@ -114,6 +118,7 @@ Requires:       %{name} = %{version}-%{release}
 %setup -q -n xerces-%{cvs_version}
 %patch0 -p0 -b .orig
 %patch1 -p0 -b .orig
+%patch2 -p0 -b .orig
 
 # Copy the custom ant tasks into place
 mkdir -p tools/org/apache/xerces/util
@@ -206,16 +211,16 @@ update-alternatives --install %{_javadir}/jaxp_parser_impl.jar \
 %ghost %{_javadir}/jaxp_parser_impl.jar
 
 %files javadoc
-%{_javadocdir}/%{name}/impl
-%{_javadocdir}/%{name}/xs
-%{_javadocdir}/%{name}/xni
-%{_javadocdir}/%{name}/other
+%{_javadocdir}/%{name}
 
 %files demo
-%defattr(-,root,root,-)
 %{_datadir}/%{name}
 
 %changelog
+* Wed Sep 10 2014 Mat Booth  - 2.11.0-22
+- Add patch for CVE-2013-4002, rhbz #1140031
+- Fix ownership of javadoc directory
+
 * Mon Aug 11 2014 Mikolaj Izdebski  - 2.11.0-21
 - Workaround regression in %%add_maven_depmap -a parameter handling