Projects
openEuler:22.03:LTS:LoongArch
xmlgraphics-commons
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm_kernel_repo:xmlgraphics-commons.spec
Changed
@@ -1,12 +1,15 @@ Name: xmlgraphics-commons Version: 2.2 -Release: 3 +Release: 4 Summary: A library that consists of several reusable components License: ASL 2.0 URL: http://xmlgraphics.apache.org/ Source0: http://archive.apache.org/dist/xmlgraphics/commons/source/xmlgraphics-commons-%{version}-src.tar.gz BuildArch: noarch +#https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183 +Patch0: CVE-2020-11988.patch + BuildRequires: maven-local, mvn(commons-io:commons-io), mvn(commons-logging:commons-logging), mvn(junit:junit) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin), mvn(org.mockito:mockito-core), mvn(xml-resolver:xml-resolver) Provides: %{name}-javadoc%{?_isa} %{name}-javadoc @@ -56,5 +59,8 @@ %{_javadocdir}/%{name}/* %changelog +* Sun Apr 24 2022 yaoxin <yaoxin30@h-partners.com> - 2.2-4 +- Fix CVE-2020-11988 + * Fri Dec 6 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.2-3 - Package init
View file
_service:tar_scm_kernel_repo:CVE-2020-11988.patch
Added
@@ -0,0 +1,77 @@ +From 57393912eb87b994c7fed39ddf30fb778a275183 Mon Sep 17 00:00:00 2001 +From: Simon Steiner <ssteiner@apache.org> +Date: Tue, 2 Jun 2020 13:18:41 +0000 +Subject: [PATCH] XGC-122: Dont load DTDs in XMP + +git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/commons/trunk@1878394 13f79535-47bb-0310-9956-ffa450edef68 +--- + .../org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++ + .../xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java +index 5e7d8b6..e907e89 100644 +--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java ++++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java +@@ -21,6 +21,7 @@ + + import java.net.URL; + ++import javax.xml.XMLConstants; + import javax.xml.transform.Source; + import javax.xml.transform.Transformer; + import javax.xml.transform.TransformerException; +@@ -54,6 +55,8 @@ public static Metadata parseXMP(URL url) throws TransformerException { + */ + public static Metadata parseXMP(Source src) throws TransformerException { + TransformerFactory tFactory = TransformerFactory.newInstance(); ++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = tFactory.newTransformer(); + XMPHandler handler = createXMPHandler(); + SAXResult res = new SAXResult(handler); +diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java +index 6519de6..3250d08 100644 +--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java ++++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java +@@ -19,16 +19,21 @@ + + package org.apache.xmlgraphics.xmp; + ++import java.io.StringReader; + import java.net.URL; + import java.util.Calendar; + import java.util.Date; + import java.util.TimeZone; + ++import javax.xml.transform.TransformerException; ++import javax.xml.transform.stream.StreamSource; ++ + import org.junit.Test; + + import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertNotNull; + import static org.junit.Assert.assertNull; ++import static org.junit.Assert.assertTrue; + + import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter; + import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema; +@@ -189,4 +194,18 @@ public void testParseEmptyValues() throws Exception { + assertNull(title); //Empty value treated same as not existant + } + ++ @Test ++ public void testExternalDTD() { ++ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" ++ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n" ++ + "<root></root>"; ++ StreamSource streamSource = new StreamSource(new StringReader(payload)); ++ String msg = ""; ++ try { ++ XMPParser.parseXMP(streamSource); ++ } catch (TransformerException e) { ++ msg = e.getMessage(); ++ } ++ assertTrue(msg, msg.contains("access is not allowed")); ++ } + }
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.