Hello community, here is the log from the commit of package dom4j for openSUSE:Leap:15.2 checked in at 2020-05-04 08:22:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/dom4j (Old) and /work/SRC/openSUSE:Leap:15.2/.dom4j.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dom4j" Mon May 4 08:22:26 2020 rev:16 rq:799252 version:1.6.1 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/dom4j/dom4j.changes 2020-01-15 14:52:47.233501846 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.dom4j.new.2738/dom4j.changes 2020-05-04 08:22:27.088338033 +0200 @@ -1,0 +2,7 @@ +Fri Apr 17 12:04:59 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Security fix: [bsc#1169760, CVE-2020-10683] + * External Entity vulnerability in default SAX parser + * Add dom4j-CVE-2020-10683.patch + +------------------------------------------------------------------- @@ -18,0 +26,16 @@ +Tue Jul 10 12:41:17 UTC 2018 - fst...@suse.com + +- Added patch: + * dom4j-javadoc.patch + + Don't load urls while building javadoc in environment without + connectivity + +------------------------------------------------------------------- +Wed May 16 11:56:27 UTC 2018 - fst...@suse.com + +- Modified patch: + * dom4j-sourcetarget.patch + + Build with source and target 8 to prepare for a possible + removal of 1.6 compatibility + +------------------------------------------------------------------- New: ---- dom4j-CVE-2020-10683.patch dom4j-javadoc.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dom4j.spec ++++++ --- /var/tmp/diff_new_pack.hAPPDc/_old 2020-05-04 08:22:27.500338916 +0200 +++ /var/tmp/diff_new_pack.hAPPDc/_new 2020-05-04 08:22:27.504338924 +0200 @@ -1,7 +1,7 @@ # # spec file for package dom4j # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -22,7 +22,7 @@ Summary: JarJar of dom4j for JBoss License: Apache-1.1 Group: Development/Libraries/Java -Url: http://www.dom4j.org/ +URL: http://www.dom4j.org/ #Source0: dom4j-1.6.1.tar.gz # Debian sources don't need a proprietary msv for build, so that's why I used them # svn co svn://svn.debian.org/svn/pkg-java/trunk/dom4j @@ -36,14 +36,18 @@ Source2: http://repo1.maven.org/maven2/dom4j/dom4j/1.6.1/dom4j-1.6.1.pom Patch0: dom4j-1.6.1-bug1618750.patch Patch1: dom4j-sourcetarget.patch +Patch2: dom4j-javadoc.patch # PATCH-FIX-UPSTREAM bsc#1105443 CVE-2018-1000632 Patch3: dom4j-CVE-2018-1000632.patch # PATCH-FIX-OPENSUSE bsc#1123158 Don't disable STAX and datatypes Patch4: dom4j-enable-stax-datatypes.patch +# PATCH-FIX-UPSTREAM bsc#1169760 CVE-2020-10683 XML Externl Entity vulnerability in default SAX parser +Patch5: dom4j-CVE-2020-10683.patch BuildRequires: ant >= 1.6.5 BuildRequires: ant-apache-resolver BuildRequires: ant-junit BuildRequires: bea-stax +BuildRequires: fdupes BuildRequires: isorelax BuildRequires: java-devel >= 1.6 # Needed for maven conversions @@ -131,8 +135,10 @@ rm -f src/test/org/dom4j/io/StaxTest.java %patch0 -p1 -b .bug1618750 %patch1 -p1 -b .sourcetarget +%patch2 -p1 -b .javadoc %patch3 -p1 %patch4 -p1 +%patch5 -p1 perl -pi -e 's/\r//g' LICENSE.txt docs/clover/*.css docs/style/*.css docs/xref/*.css docs/xref-test/*.css src/doc/style/*.css docs/benchmarks/xpath/*.java pushd lib @@ -192,10 +198,13 @@ cp -pr src/samples %{buildroot}%{_datadir}/%{name}/src #cp -pr build/classes/org/dom4j/samples $RPM_BUILD_ROOT%%{_datadir}/%%{name}/classes/org/dom4j install -m 0755 run.sh %{buildroot}%{_datadir}/%{name} +%fdupes -s %{buildroot}%{_javadocdir}/%{name} +%fdupes -s %{buildroot}%{_docdir}/%{name}-%{version} +%fdupes -s %{buildroot}%{_datadir}/%{name} %files %defattr(0644,root,root,0755) -%doc LICENSE.txt +%license LICENSE.txt %{_javadir}/%{name}.jar %{_javadir}/%{name}-%{version}.jar %{_mavenpomdir}/* ++++++ dom4j-CVE-2020-10683.patch ++++++ >From a8228522a99a02146106672a34c104adbda5c658 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <fi...@jirsak.org> Date: Sat, 11 Apr 2020 19:06:44 +0200 Subject: [PATCH] SAXReader uses system default XMLReader with its defaults. New factory method SAXReader.createDefault() sets more secure defaults. --- src/java/org/dom4j/DocumentHelper.java | 65 +- src/java/org/dom4j/io/SAXHelper.java | 37 +- src/java/org/dom4j/io/SAXReader.java | 1824 ++++++++++--------- 3 files changed, 973 insertions(+), 953 deletions(-) Index: dom4j/src/java/org/dom4j/io/SAXHelper.java =================================================================== --- dom4j.orig/src/java/org/dom4j/io/SAXHelper.java +++ dom4j/src/java/org/dom4j/io/SAXHelper.java @@ -13,6 +13,8 @@ import org.xml.sax.SAXNotSupportedExcept import org.xml.sax.XMLReader; import org.xml.sax.helpers.XMLReaderFactory; +import javax.xml.parsers.SAXParserFactory; + /** * <p> * <code>SAXHelper</code> contains some helper methods for working with SAX @@ -59,9 +61,18 @@ class SAXHelper { } /** - * Creats a default XMLReader via the org.xml.sax.driver system property or + * Creates a default XMLReader via the org.xml.sax.driver system property or * JAXP if the system property is not set. * + * This method internally calls {@link SAXParserFactory}{@code .newInstance().newSAXParser().getXMLReader()} or {@link XMLReaderFactory#createXMLReader()}. + * Be sure to configure returned reader if the default configuration does not suit you. Consider setting the following properties: + * + * <pre> + * reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + * reader.setFeature("http://xml.org/sax/features/external-general-entities", false); + * reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + * </pre> + * * @param validating * DOCUMENT ME! * Index: dom4j/src/java/org/dom4j/io/SAXReader.java =================================================================== --- dom4j.orig/src/java/org/dom4j/io/SAXReader.java +++ dom4j/src/java/org/dom4j/io/SAXReader.java @@ -30,6 +30,8 @@ import org.xml.sax.XMLReader; import org.xml.sax.helpers.DefaultHandler; import org.xml.sax.helpers.XMLReaderFactory; +import javax.xml.parsers.SAXParserFactory; + /** * <p> * <code>SAXReader</code> creates a DOM4J tree from SAX parsing events. @@ -135,17 +137,76 @@ public class SAXReader { /** The SAX filter used to filter SAX events */ private XMLFilter xmlFilter; + public static SAXReader createDefault() { + SAXReader reader = new SAXReader(); + try { + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + reader.setFeature("http://xml.org/sax/features/external-general-entities", false); + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + } catch (SAXException e) { + // nothing to do, incompatible reader + } + return reader; + } + + /** + * This method internally calls {@link SAXParserFactory}{@code .newInstance().newSAXParser().getXMLReader()} or {@link XMLReaderFactory#createXMLReader()}. + * Be sure to configure returned reader if the default configuration does not suit you. Consider setting the following properties: + * + * <pre> + * reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + * reader.setFeature("http://xml.org/sax/features/external-general-entities", false); + * reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + * </pre> + */ public SAXReader() { } + /** + * This method internally calls {@link SAXParserFactory}{@code .newInstance().newSAXParser().getXMLReader()} or {@link XMLReaderFactory#createXMLReader()}. + * Be sure to configure returned reader if the default configuration does not suit you. Consider setting the following properties: + * + * <pre> + * reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + * reader.setFeature("http://xml.org/sax/features/external-general-entities", false); + * reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + * </pre> + * + * @param validating + */ public SAXReader(boolean validating) { this.validating = validating; } + /** + * This method internally calls {@link SAXParserFactory}{@code .newInstance().newSAXParser().getXMLReader()} or {@link XMLReaderFactory#createXMLReader()}. + * Be sure to configure returned reader if the default configuration does not suit you. Consider setting the following properties: + * + * <pre> + * reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + * reader.setFeature("http://xml.org/sax/features/external-general-entities", false); + * reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + * </pre> + * + * @param factory + */ public SAXReader(DocumentFactory factory) { this.factory = factory; } + /** + * This method internally calls {@link SAXParserFactory}{@code .newInstance().newSAXParser().getXMLReader()} or {@link XMLReaderFactory#createXMLReader()}. + * Be sure to configure returned reader if the default configuration does not suit you. Consider setting the following properties: + * + * <pre> + * reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + * reader.setFeature("http://xml.org/sax/features/external-general-entities", false); + * reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + * </pre> + * + * @param factory + * @param validating + */ public SAXReader(DocumentFactory factory, boolean validating) { this.factory = factory; this.validating = validating; @@ -185,14 +246,10 @@ public class SAXReader { * this method is to correctly configure an XMLReader object instance and * call the {@link #setXMLReader(XMLReader)}method * - * @param name - * is the SAX property name - * @param value - * is the value of the SAX property - * - * @throws SAXException - * if the XMLReader could not be created or the property could - * not be changed. + * @param name is the SAX property name + * @param value is the value of the SAX property + * @throws SAXException if the XMLReader could not be created or the property could + * not be changed. */ public void setProperty(String name, Object value) throws SAXException { getXMLReader().setProperty(name, value); @@ -205,14 +262,10 @@ public class SAXReader { * calling this method is to correctly configure an XMLReader object * instance and call the {@link #setXMLReader(XMLReader)}method * - * @param name - * is the SAX feature name - * @param value - * is the value of the SAX feature - * - * @throws SAXException - * if the XMLReader could not be created or the feature could - * not be changed. + * @param name is the SAX feature name + * @param value is the value of the SAX feature + * @throws SAXException if the XMLReader could not be created or the feature could + * not be changed. */ public void setFeature(String name, boolean value) throws SAXException { getXMLReader().setFeature(name, value); @@ -223,13 +276,9 @@ public class SAXReader { * Reads a Document from the given <code>File</code> * </p> * - * @param file - * is the <code>File</code> to read from. - * + * @param file is the <code>File</code> to read from. * @return the newly created Document instance - * - * @throws DocumentException - * if an error occurs during parsing. + * @throws DocumentException if an error occurs during parsing. */ public Document read(File file) throws DocumentException { try { @@ -272,13 +321,9 @@ public class SAXReader { * Reads a Document from the given <code>URL</code> using SAX * </p> * - * @param url - * <code>URL</code> to read from. - * + * @param url <code>URL</code> to read from. * @return the newly created Document instance - * - * @throws DocumentException - * if an error occurs during parsing. + * @throws DocumentException if an error occurs during parsing. */ public Document read(URL url) throws DocumentException { String systemID = url.toExternalForm(); @@ -304,13 +349,9 @@ public class SAXReader { * String} to denote the source of the document. * </p> * - * @param systemId - * is a URL for a document or a file name. - * + * @param systemId is a URL for a document or a file name. * @return the newly created Document instance - * - * @throws DocumentException - * if an error occurs during parsing. + * @throws DocumentException if an error occurs during parsing. */ public Document read(String systemId) throws DocumentException { InputSource source = new InputSource(systemId); @@ -326,13 +367,9 @@ public class SAXReader { * Reads a Document from the given stream using SAX * </p> * - * @param in - * <code>InputStream</code> to read from. - * + * @param in <code>InputStream</code> to read from. * @return the newly created Document instance - * - * @throws DocumentException - * if an error occurs during parsing. + * @throws DocumentException if an error occurs during parsing. */ public Document read(InputStream in) throws DocumentException { InputSource source = new InputSource(in); @@ -348,13 +385,9 @@ public class SAXReader { * Reads a Document from the given <code>Reader</code> using SAX * </p> * - * @param reader - * is the reader for the input - * + * @param reader is the reader for the input * @return the newly created Document instance - * - * @throws DocumentException - * if an error occurs during parsing. + * @throws DocumentException if an error occurs during parsing. */ public Document read(Reader reader) throws DocumentException { InputSource source = new InputSource(reader); @@ -370,15 +403,10 @@ public class SAXReader { * Reads a Document from the given stream using SAX * </p> * - * @param in - * <code>InputStream</code> to read from. - * @param systemId - * is the URI for the input - * + * @param in <code>InputStream</code> to read from. + * @param systemId is the URI for the input * @return the newly created Document instance - * - * @throws DocumentException - * if an error occurs during parsing. + * @throws DocumentException if an error occurs during parsing. */ public Document read(InputStream in, String systemId) throws DocumentException { @@ -396,13 +424,9 @@ public class SAXReader { * Reads a Document from the given <code>Reader</code> using SAX * </p> * - * @param reader - * is the reader for the input - * @param systemId - * is the URI for the input - * + * @param reader is the reader for the input + * @param systemId is the URI for the input * @return the newly created Document instance - * * @throws DocumentException * if an error occurs during parsing. */ @@ -422,13 +446,9 @@ public class SAXReader { * Reads a Document from the given <code>InputSource</code> using SAX * </p> * - * @param in - * <code>InputSource</code> to read from. - * + * @param in <code>InputSource</code> to read from. * @return the newly created Document instance - * - * @throws DocumentException - * if an error occurs during parsing. + * @throws DocumentException if an error occurs during parsing. */ public Document read(InputSource in) throws DocumentException { try { @@ -695,8 +715,7 @@ public class SAXReader { /** * Sets the entity resolver used to resolve entities. * - * @param entityResolver - * DOCUMENT ME! + * @param entityResolver DOCUMENT ME! */ public void setEntityResolver(EntityResolver entityResolver) { this.entityResolver = entityResolver; @@ -706,9 +725,7 @@ public class SAXReader { * DOCUMENT ME! * * @return the <code>XMLReader</code> used to parse SAX events - * - * @throws SAXException - * DOCUMENT ME! + * @throws SAXException DOCUMENT ME! */ public XMLReader getXMLReader() throws SAXException { if (xmlReader == null) { @@ -721,8 +738,7 @@ public class SAXReader { /** * Sets the <code>XMLReader</code> used to parse SAX events * - * @param reader - * is the <code>XMLReader</code> to parse SAX events + * @param reader is the <code>XMLReader</code> to parse SAX events */ public void setXMLReader(XMLReader reader) { this.xmlReader = reader; @@ -742,8 +758,7 @@ public class SAXReader { /** * Sets encoding used for InputSource (null means system default encoding) * - * @param encoding - * is encoding used for InputSource + * @param encoding is encoding used for InputSource */ public void setEncoding(String encoding) { this.encoding = encoding; @@ -753,12 +768,9 @@ public class SAXReader { * Sets the class name of the <code>XMLReader</code> to be used to parse * SAX events. * - * @param xmlReaderClassName - * is the class name of the <code>XMLReader</code> to parse SAX - * events - * - * @throws SAXException - * DOCUMENT ME! + * @param xmlReaderClassName is the class name of the <code>XMLReader</code> + * to parse SAX events + * @throws SAXException DOCUMENT ME! */ public void setXMLReaderClassName(String xmlReaderClassName) throws SAXException { @@ -769,11 +781,9 @@ public class SAXReader { * Adds the <code>ElementHandler</code> to be called when the specified * path is encounted. * - * @param path - * is the path to be handled - * @param handler - * is the <code>ElementHandler</code> to be called by the event - * based processor. + * @param path is the path to be handled + * @param handler is the <code>ElementHandler</code> to be called by the event + * based processor. */ public void addHandler(String path, ElementHandler handler) { getDispatchHandler().addHandler(path, handler); @@ -783,8 +793,7 @@ public class SAXReader { * Removes the <code>ElementHandler</code> from the event based processor, * for the specified path. * - * @param path - * is the path to remove the <code>ElementHandler</code> for. + * @param path is the path to remove the <code>ElementHandler</code> for. */ public void removeHandler(String path) { getDispatchHandler().removeHandler(path); @@ -795,9 +804,8 @@ public class SAXReader { * registered, this will set a default <code>ElementHandler</code> to be * called for any path which does <b>NOT </b> have a handler registered. * - * @param handler - * is the <code>ElementHandler</code> to be called by the event - * based processor. + * @param handler is the <code>ElementHandler</code> to be called by the event + * based processor. */ public void setDefaultHandler(ElementHandler handler) { getDispatchHandler().setDefaultHandler(handler); @@ -824,8 +832,7 @@ public class SAXReader { /** * Sets the SAX filter to be used when filtering SAX events * - * @param filter - * is the SAX filter to use or null to disable filtering + * @param filter is the SAX filter to use or null to disable filtering */ public void setXMLFilter(XMLFilter filter) { this.xmlFilter = filter; @@ -838,9 +845,7 @@ public class SAXReader { * Installs any XMLFilter objects required to allow the SAX event stream to * be filtered and preprocessed before it gets to dom4j. * - * @param reader - * DOCUMENT ME! - * + * @param reader DOCUMENT ME! * @return the new XMLFilter if applicable or the original XMLReader if no * filter is being used. */ @@ -886,9 +891,7 @@ public class SAXReader { * XMLReader objects * * @return DOCUMENT ME! - * - * @throws SAXException - * DOCUMENT ME! + * @throws SAXException DOCUMENT ME! */ protected XMLReader createXMLReader() throws SAXException { return SAXHelper.createXMLReader(isValidating()); @@ -897,13 +900,9 @@ public class SAXReader { /** * Configures the XMLReader before use * - * @param reader - * DOCUMENT ME! - * @param handler - * DOCUMENT ME! - * - * @throws DocumentException - * DOCUMENT ME! + * @param reader DOCUMENT ME! + * @param handler DOCUMENT ME! + * @throws DocumentException DOCUMENT ME! */ protected void configureReader(XMLReader reader, DefaultHandler handler) throws DocumentException { @@ -918,10 +917,11 @@ public class SAXReader { SAXHelper.setParserProperty(reader, SAX_DECL_HANDLER, handler); } - // configure namespace support - SAXHelper.setParserFeature(reader, SAX_NAMESPACES, true); + // // configure namespace support + // SAXHelper.setParserFeature(reader, SAX_NAMESPACES, true); - SAXHelper.setParserFeature(reader, SAX_NAMESPACE_PREFIXES, false); + // string interning + // SAXHelper.setParserFeature(reader, SAX_NAMESPACE_PREFIXES, false); // string interning SAXHelper.setParserFeature(reader, SAX_STRING_INTERNING, @@ -936,8 +936,8 @@ public class SAXReader { * includeExternalParameterEntities ); */ // use Locator2 if possible - SAXHelper.setParserFeature(reader, - "http://xml.org/sax/features/use-locator2", true); + // SAXHelper.setParserFeature(reader, + // "http://xml.org/sax/features/use-locator2", true); try { // configure validation support @@ -960,9 +960,7 @@ public class SAXReader { /** * Factory Method to allow user derived SAXContentHandler objects to be used * - * @param reader - * DOCUMENT ME! - * + * @param reader DOCUMENT ME! * @return DOCUMENT ME! */ protected SAXContentHandler createContentHandler(XMLReader reader) { ++++++ dom4j-enable-stax-datatypes.patch ++++++ --- /var/tmp/diff_new_pack.hAPPDc/_old 2020-05-04 08:22:27.568339062 +0200 +++ /var/tmp/diff_new_pack.hAPPDc/_new 2020-05-04 08:22:27.568339062 +0200 @@ -3,7 +3,7 @@ --- dom4j.orig/build.xml +++ dom4j/build.xml @@ -146,9 +146,6 @@ - source="1.6" + source="8" deprecation="${deprecation}" classpathref="compile.classpath"> - <exclude name="org/dom4j/datatype/**"/> ++++++ dom4j-javadoc.patch ++++++ --- dom4j/build.xml 2009-05-12 15:04:18.000000000 +0200 +++ dom4j/build.xml 2018-07-10 10:51:51.814095475 +0200 @@ -224,7 +224,6 @@ doctitle="${Name}" bottom="Copyright © ${year} MetaStuff Ltd. All Rights Reserved. Hosted by <p> <img src='http://sourceforge.net/sflogo.php?group_id=16035' width='88' height='31' border='0' alt='SourceForge Logo' />" stylesheetfile="${doc.dir}/style/javadoc.css"> - <link href="file:///usr/share/doc/classpath-doc/api"/> </javadoc> <mkdir dir="${build.apidocs}"/> @@ -240,8 +239,6 @@ doctitle="${Name}" bottom="Copyright © ${year} MetaStuff Ltd. All Rights Reserved. Hosted by <p> <img src='http://sourceforge.net/sflogo.php?group_id=16035' width='88' height='31' border='0' alt='SourceForge Logo' />" stylesheetfile="${doc.dir}/style/javadoc.css"> - <link href="file:///usr/share/doc/classpath-doc/api"/> - <link href="${build.javadocs}"/> </javadoc> </target> ++++++ dom4j-sourcetarget.patch ++++++ --- /var/tmp/diff_new_pack.hAPPDc/_old 2020-05-04 08:22:27.588339104 +0200 +++ /var/tmp/diff_new_pack.hAPPDc/_new 2020-05-04 08:22:27.588339104 +0200 @@ -6,8 +6,8 @@ optimize="${optimize}" - target="1.3" - source="1.3" -+ target="1.6" -+ source="1.6" ++ target="8" ++ source="8" deprecation="${deprecation}" classpathref="compile.classpath"> <exclude name="org/dom4j/datatype/**"/> @@ -15,7 +15,7 @@ <mkdir dir="${build.javadocs}"/> <javadoc packagenames="${packages}" sourcepath="${build.src}" -+ source="1.6" ++ source="8" destdir="${build.javadocs}" author="true" version="true" @@ -23,7 +23,7 @@ <mkdir dir="${build.javadocs}"/> <javadoc packagenames="${packages}" sourcepath="${build.src}" -+ source="1.6" ++ source="8" destdir="${build.javadocs}" author="true" version="true" @@ -31,7 +31,7 @@ <mkdir dir="${build.apidocs}"/> <javadoc packagenames="${api.packages}" sourcepath="${build.src}" -+ source="1.6" ++ source="8" destdir="${build.apidocs}" author="true" version="true"