Hello community, here is the log from the commit of package castor for openSUSE:Factory checked in at 2014-06-16 21:25:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/castor (Old) and /work/SRC/openSUSE:Factory/.castor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "castor" Changes: -------- --- /work/SRC/openSUSE:Factory/castor/castor.changes 2013-11-15 13:14:14.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.castor.new/castor.changes 2014-06-16 21:25:41.000000000 +0200 @@ -1,0 +2,12 @@ +Thu Jun 12 15:09:02 UTC 2014 - [email protected] + +- Backport fix for CVE-2013-3004 from upstream repository. + Fixes bnc#882408. + * castor-0.9.5-CVE-2014-3004.patch + +------------------------------------------------------------------- +Thu Jun 12 08:22:55 UTC 2014 - [email protected] + +- Cleanup with spec-cleaner and use proper homepage that works. + +------------------------------------------------------------------- New: ---- castor-0.9.5-CVE-2014-3004.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ castor.spec ++++++ --- /var/tmp/diff_new_pack.q3TvHH/_old 2014-06-16 21:25:42.000000000 +0200 +++ /var/tmp/diff_new_pack.q3TvHH/_new 2014-06-16 21:25:42.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package castor # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,8 +17,20 @@ Name: castor +Version: 0.9.5 +Release: 0 +Summary: An Open Source Data Binding Framework for Java +License: BSD-3-Clause +Group: Development/Libraries/Java +Url: http://castor.codehaus.org/ +Source0: ftp://ftp.exolab.org/pub/castor/castor_0.9.5/castor-0.9.5-src.tar.bz2 +Patch0: castor-unicode-document-fix.patch +Patch1: castor-0.9.5-CVE-2014-3004.patch BuildRequires: adaptx BuildRequires: ant +#!BuildIgnore: java-1_6_0-openjdk java-1_6_0-openjdk-devel +#!BuildIgnore: java-1_7_0-openjdk java-1_7_0-openjdk-devel +BuildRequires: fdupes BuildRequires: java-1_5_0-gcj-compat-devel BuildRequires: jta BuildRequires: junit @@ -26,24 +38,6 @@ BuildRequires: regexp BuildRequires: servletapi3 BuildRequires: xml-commons-apis -#!BuildIgnore: java-1_6_0-openjdk java-1_6_0-openjdk-devel -#!BuildIgnore: java-1_7_0-openjdk java-1_7_0-openjdk-devel -BuildRequires: fdupes -%define name castor -%define version 0.9.5 -%define release 1jpp -%define section free -Summary: An Open Source Data Binding Framework for Java -License: BSD-3-Clause -Group: Development/Libraries/Java -Version: 0.9.5 -Release: 0 -Url: http://www.castor.org/ -Source0: ftp://ftp.exolab.org/pub/castor/castor_0.9.5/castor-0.9.5-src.tar.bz2 -Patch0: castor-unicode-document-fix.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildArch: noarch -BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: adaptx Requires: jdbc-stdext Requires: jndi @@ -52,6 +46,8 @@ Requires: oro Requires: regexp Requires: xerces-j2 +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildArch: noarch %description Castor is an open source data binding framework for Java. It is @@ -59,8 +55,6 @@ SQL tables. Castor provides Java to XML binding, Java to SQL persistence, and more. - - %package demo Summary: Demonstration and sample file for castor Group: Development/Libraries/Java @@ -75,8 +69,6 @@ This package contains demonstration and sample files for Castor. - - %package test Summary: Tests for castor Group: Development/Libraries/Java @@ -91,8 +83,6 @@ This package contains tests for Castor. - - %package xml Summary: XML support for castor Group: Development/Libraries/Java @@ -118,11 +108,10 @@ This package contains the documentation for Castor. - - %prep %setup -q %patch0 -b .sav +%patch1 -p1 find . -name "*.jar" -exec rm -f {} \; perl -p -i -e 's|org.apache.xerces.utils.regex|org.apache.xerces.impl.xpath.regex|g;' \ src/main/org/exolab/castor/util/XercesRegExpEvaluator.java @@ -147,14 +136,14 @@ #export ANT_OPTS="--param max-fields-for-field-sensitive=1 -O1" export GC_MAXIMUM_HEAP_SIZE="134217728" # jar -install -d -m 755 $RPM_BUILD_ROOT%{_javadir} -install -m 644 dist/%{name}-%{version}.jar $RPM_BUILD_ROOT%{_javadir}/%{name}-%{version}.jar -install -m 644 dist/%{name}-%{version}-xml.jar $RPM_BUILD_ROOT%{_javadir}/%{name}-xml-%{version}.jar -install -m 644 dist/CTF-%{version}.jar $RPM_BUILD_ROOT%{_javadir}/%{name}-tests-%{version}.jar -(cd $RPM_BUILD_ROOT%{_javadir} && for jar in *-%{version}.jar; do ln -sf ${jar} `echo $jar| sed "s|-%{version}||g"`; done) +install -d -m 755 %{buildroot}%{_javadir} +install -m 644 dist/%{name}-%{version}.jar %{buildroot}%{_javadir}/%{name}-%{version}.jar +install -m 644 dist/%{name}-%{version}-xml.jar %{buildroot}%{_javadir}/%{name}-xml-%{version}.jar +install -m 644 dist/CTF-%{version}.jar %{buildroot}%{_javadir}/%{name}-tests-%{version}.jar +(cd %{buildroot}%{_javadir} && for jar in *-%{version}.jar; do ln -sf ${jar} `echo $jar| sed "s|-%{version}||g"`; done) # examples (demo) -install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/%{name}/examples -cp -pr build/examples/* $RPM_BUILD_ROOT%{_datadir}/%{name}/examples +install -d -m 755 %{buildroot}%{_datadir}/%{name}/examples +cp -pr build/examples/* %{buildroot}%{_datadir}/%{name}/examples # do this last, since it will delete all build directories export CLASSPATH=%(build-classpath adaptx log4j) @@ -165,7 +154,7 @@ %files %defattr(0644,root,root,0755) -%doc src/etc/{CHANGELOG,LICENSE,README} +%doc src%{_sysconfdir}/{CHANGELOG,LICENSE,README} %attr(0755,root,root) %{_bindir}/%{name} %{_javadir}/%{name}-%{version}.jar %{_javadir}/%{name}.jar ++++++ castor-0.9.5-CVE-2014-3004.patch ++++++ diff -urN castor-0.9.5.old/src/doc/conf-lib.xml castor-0.9.5/src/doc/conf-lib.xml --- castor-0.9.5.old/src/doc/conf-lib.xml 2014-06-12 13:41:30.342969269 +0200 +++ castor-0.9.5/src/doc/conf-lib.xml 2014-06-12 14:12:10.220139402 +0200 @@ -45,7 +45,12 @@ # Comma separated list of SAX 2 features that should be enabled # for the default parser # - org.exolab.castor.features= + org.exolab.castor.sax.features= + + # Comma separated list of SAX 2 features that should be disabled + # for the default parser + # + org.exolab.castor.sax.features-to-disable= # True if should produce verbose messages # diff -urN castor-0.9.5.old/src/etc/castor.properties castor-0.9.5/src/etc/castor.properties --- castor-0.9.5.old/src/etc/castor.properties 2014-06-12 13:41:30.344969269 +0200 +++ castor-0.9.5/src/etc/castor.properties 2014-06-12 13:55:57.979049499 +0200 @@ -24,6 +24,21 @@ # #org.exolab.castor.indent=true +# Comma separated list of SAX 2 features that should be disabled for the +# default parser. +# +# Possible values: +# - <null> +# - A list if SAX 2 features (comma-separated) to be disabled. (default) +# +# <pre> +# org.exolab.castor.sax.features-to-disable +# </pre> +# +org.exolab.castor.sax.features-to-disable=\ + http://xml.org/sax/features/external-general-entities,\ + http://xml.org/sax/features/external-parameter-entities,\ + http://apache.org/xml/features/nonvalidating/load-external-dtd # True if xml documents should be validated by the SAX Parser @@ -38,7 +53,7 @@ # Comma separated list of SAX 2 features that should be enabled # for the default parser. # -#org.exolab.castor.features= +#org.exolab.castor.sax.features= # True if should produce verbose messages diff -urN castor-0.9.5.old/src/main/org/exolab/castor/util/Configuration.java castor-0.9.5/src/main/org/exolab/castor/util/Configuration.java --- castor-0.9.5.old/src/main/org/exolab/castor/util/Configuration.java 2014-06-12 13:41:30.336969268 +0200 +++ castor-0.9.5/src/main/org/exolab/castor/util/Configuration.java 2014-06-12 16:59:51.975069813 +0200 @@ -58,6 +58,8 @@ import java.util.Hashtable; import java.net.URL; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import org.xml.sax.DocumentHandler; import org.xml.sax.Parser; import org.xml.sax.XMLReader; @@ -183,6 +185,15 @@ */ public static final String ParserFeatures = "org.exolab.castor.sax.features"; + /** + * Property specifying features to be disbaled on the underlying SAX parser. + * This value contains a comma separated list of features to be disabled. + * <pre> + * org.exolab.castor.sax.features-to-disable + * </pre> + */ + public static final String ParserFeaturesToDisable = "org.exolab.castor.sax.features-to-disable"; + public static final String ParserFeatureSeparator = ","; /** @@ -555,29 +566,74 @@ prop, except ) ); } - if ( parser instanceof XMLReader ) { - StringTokenizer token; - boolean flag; - XMLReader xmlReader = (XMLReader)parser; - try { - xmlReader.setFeature( Features.Validation, validation ); - xmlReader.setFeature( Features.Namespaces, namespaces ); - features = getDefault().getProperty( Property.ParserFeatures, features ); - if ( features != null ) { - token = new StringTokenizer( features, ", " ); - while ( token.hasMoreTokens() ) { - xmlReader.setFeature( token.nextToken(), true ); - } - } - } - catch ( SAXException except ) { - Logger.getSystemLogger().println( Messages.format( "conf.configurationError", except ) ); - } + if (parser instanceof XMLReader) { + XMLReader xmlReader = (XMLReader) parser; + setFeaturesOnXmlReader(features, validation, namespaces, xmlReader); } return parser; } /** + * Sets features on XML reader instance. + * @param features + * @param validation Whether to enable validation or not. + * @param namespaces Whether to enable namespace support for not. + * @param xmlReader The XMLReader instance to configure. + */ + protected static void setFeaturesOnXmlReader(String features, + final boolean validation, + final boolean namespaces, + final XMLReader xmlReader) { + StringTokenizer token; + try { + xmlReader.setFeature(Features.Validation, validation); + xmlReader.setFeature(Features.Namespaces, namespaces); + features = getDefault().getProperty(Property.ParserFeatures, features); + enableFeatures(features, xmlReader); + String featuresToDisable = getDefault().getProperty(Property.ParserFeaturesToDisable, ""); + disableFeatures(featuresToDisable, xmlReader); + } catch (SAXException except) { + Logger.getSystemLogger().println(Messages.format("conf.configurationError", except)); + } + } + + /** + * Enables selected features on the XMLReader instance + * @param features Features to enable + * @param xmlReader XMLReader instance to be configured. + * @throws SAXNotRecognizedException If the feature is not recognized by the XMLReader. + * @throws SAXNotSupportedException If the feature is not supported by the XMLReader. + */ + private static void enableFeatures(final String features, final XMLReader xmlReader) + throws SAXNotRecognizedException, SAXNotSupportedException { + StringTokenizer token; + if (features != null) { + token = new StringTokenizer(features, ", "); + while (token.hasMoreTokens()) { + xmlReader.setFeature(token.nextToken(), true); + } + } + } + + /** + * Disables selected features on the XMLReader instance + * @param features Features to disable + * @param xmlReader XMLReader instance to be configured. + * @throws SAXNotRecognizedException If the feature is not recognized by the XMLReader. + * @throws SAXNotSupportedException If the feature is not supported by the XMLReader. + */ + private static void disableFeatures(String features, final XMLReader xmlReader) + throws SAXNotRecognizedException, SAXNotSupportedException { + StringTokenizer token; + if (features != null) { + token = new StringTokenizer(features, ", "); + while (token.hasMoreTokens()) { + xmlReader.setFeature(token.nextToken(), true); + } + } + } + + /** * Returns the currently configured NodeType to use for Java * primitives. A null value will be returned if no NodeType was * specified, indicating the default NodeType should be used. diff -urN castor-0.9.5.old/src/main/org/exolab/castor/util/LocalConfiguration.java castor-0.9.5/src/main/org/exolab/castor/util/LocalConfiguration.java --- castor-0.9.5.old/src/main/org/exolab/castor/util/LocalConfiguration.java 2014-06-12 13:41:30.336969268 +0200 +++ castor-0.9.5/src/main/org/exolab/castor/util/LocalConfiguration.java 2014-06-12 14:09:12.421122961 +0200 @@ -326,25 +326,11 @@ prop, except ) ); } - if ( parser instanceof XMLReader ) { - StringTokenizer token; - boolean flag; - XMLReader xmlReader = (XMLReader)parser; - try { - xmlReader.setFeature( Features.Validation, validation ); - xmlReader.setFeature( Features.Namespaces, namespaces ); - features = getDefault().getProperty( Property.ParserFeatures, features ); - if ( features != null ) { - token = new StringTokenizer( features, ", " ); - while ( token.hasMoreTokens() ) { - xmlReader.setFeature( token.nextToken(), true ); - } - } - } - catch ( SAXException except ) { - Logger.getSystemLogger().println( Messages.format( "conf.configurationError", except ) ); - } + if (parser instanceof XMLReader) { + XMLReader xmlReader = (XMLReader) parser; + setFeaturesOnXmlReader(features, validation, namespaces, xmlReader); } + return parser; } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
