Add patch for CVE-2013-4002, rhbz #1140031

- Fix ownership of javadoc directory

.gitignore

@@ -1,2 +1,6 @@
-Xerces-J-src.2.9.0.tar.gz
 /Xerces-J-src.2.11.0.tar.gz
+/xerces-2_11_0/
+/.project
+/.build-*.log
+/noarch/
+/*.src.rpm

xerces-j2-CVE-2013-4002.patch

@@ -0,0 +1,47 @@
+--- src/org/apache/xerces/impl/XMLScanner.java	2013/07/03 18:25:06	1499505
++++ src/org/apache/xerces/impl/XMLScanner.java	2013/07/03 18:29:43	1499506
+@@ -542,7 +542,7 @@
+         // document is until we scan the encoding declaration
+         // you cannot reliably read any characters outside
+         // of the ASCII range here. -- mrglavas
+-        String name = fEntityScanner.scanName();
++        String name = scanPseudoAttributeName();
+         XMLEntityManager.print(fEntityManager.getCurrentEntity());
+         if (name == null) {
+             reportFatalError("PseudoAttrNameExpected", null);
+@@ -599,6 +599,35 @@
+     } // scanPseudoAttribute(XMLString):String
+     
+     /**
++     * Scans the name of a pseudo attribute. The only legal names
++     * in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'.
++     * 
++     * @return the name of the pseudo attribute or <code>null</code>
++     * if a legal pseudo attribute name could not be scanned.
++     */
++    private String scanPseudoAttributeName() throws IOException, XNIException {
++        final int ch = fEntityScanner.peekChar();
++        switch (ch) {
++            case 'v':
++                if (fEntityScanner.skipString(fVersionSymbol)) {
++                    return fVersionSymbol;
++                }
++                break;
++            case 'e':
++                if (fEntityScanner.skipString(fEncodingSymbol)) {
++                    return fEncodingSymbol;
++                }
++                break;
++            case 's':
++                if (fEntityScanner.skipString(fStandaloneSymbol)) {
++                    return fStandaloneSymbol;
++                }
++                break;
++        }
++        return null;
++    } // scanPseudoAttributeName()
++    
++    /**
+      * Scans a processing instruction.
+      * <p>
+      * <pre>

xerces-j2.spec

@@ -4,7 +4,7 @@
 
 Name:          xerces-j2
 Version:       2.11.0
-Release:       21%{?dist}
+Release:       22%{?dist}
 Summary:       Java XML parser
 Group:         Development/Libraries
 License:       ASL 2.0
@@ -31,6 +31,10 @@ Patch0:        %{name}-build.patch
 # Patch the manifest so that it includes OSGi stuff
 Patch1:        %{name}-manifest.patch
 
+# Backported fix from upstream http://svn.apache.org/viewvc?view=revision&revision=1499506
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1140031
+Patch2:        xerces-j2-CVE-2013-4002.patch
+
 BuildArch:     noarch
 
 BuildRequires: java-devel >= 1:1.6.0
@@ -114,6 +118,7 @@ Requires:       %{name} = %{version}-%{release}
 %setup -q -n xerces-%{cvs_version}
 %patch0 -p0 -b .orig
 %patch1 -p0 -b .orig
+%patch2 -p0 -b .orig
 
 # Copy the custom ant tasks into place
 mkdir -p tools/org/apache/xerces/util
@@ -206,16 +211,16 @@ update-alternatives --install %{_javadir}/jaxp_parser_impl.jar \
 %ghost %{_javadir}/jaxp_parser_impl.jar
 
 %files javadoc
-%{_javadocdir}/%{name}/impl
+%{_javadocdir}/%{name}
-%{_javadocdir}/%{name}/xs
-%{_javadocdir}/%{name}/xni
-%{_javadocdir}/%{name}/other
 
 %files demo
-%defattr(-,root,root,-)
 %{_datadir}/%{name}
 
 %changelog
+* Wed Sep 10 2014 Mat Booth <mat.booth@redhat.com> - 2.11.0-22
+- Add patch for CVE-2013-4002, rhbz #1140031
+- Fix ownership of javadoc directory
+
 * Mon Aug 11 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.11.0-21
 - Workaround regression in %%add_maven_depmap -a parameter handling