Hello community, here is the log from the commit of package xerces-j2 for openSUSE:Factory checked in at Wed Sep 2 18:28:10 CEST 2009. -------- --- xerces-j2/xerces-j2-bootstrap.changes 2008-01-28 16:59:54.000000000 +0100 +++ xerces-j2/xerces-j2-bootstrap.changes 2009-08-18 08:49:27.000000000 +0200 @@ -1,0 +2,5 @@ +Mon Aug 17 11:46:39 UTC 2009 - mvyskocil@suse.cz + +- fixed bnc#530717: VUL-0: xerces-j2: XML parsing vulnerability + +------------------------------------------------------------------- --- xerces-j2/xerces-j2.changes 2008-11-12 12:23:15.000000000 +0100 +++ xerces-j2/xerces-j2.changes 2009-08-18 08:49:29.000000000 +0200 @@ -1,0 +2,9 @@ +Mon Aug 17 11:44:46 UTC 2009 - mvyskocil@suse.cz + +- fixed bnc#530717: VUL-0: xerces-j2: XML parsing vulnerability +- Removed non used patch xerces-build.patch +- Fixed some rpmlint warnings and errors +- Removed javadoc postinstall scripts +- Removed %%release from subpackages requires + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- xerces-j2-parsing.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xerces-j2-bootstrap.spec ++++++ --- /var/tmp/diff_new_pack.r4kXxO/_old 2009-09-02 18:27:09.000000000 +0200 +++ /var/tmp/diff_new_pack.r4kXxO/_new 2009-09-02 18:27:09.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package xerces-j2-bootstrap (Version 2.8.1) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,16 +34,19 @@ Summary: Java XML parser Group: Development/Libraries/Java Version: 2.8.1 -Release: 238 +Release: 239 Requires: xml-commons-which-bootstrap Requires: xml-commons-apis-bootstrap Requires: xml-commons-resolver-bootstrap -License: The Apache Software License +License: Apache Software License .. Group: Development/Libraries/Java AutoReqProv: on Source0: Xerces-J-src.%{version}.tar.bz2 Patch0: xerces-j2-gcj-switch-constants-bug.patch Patch1: xerces-build.patch +#PATCH-FIX-UPSTREAM bnc#530717 +#http://svn.apache.org/viewvc?view=rev&revision=787352 +Patch3: xerces-j2-parsing.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #BuildArchitectures: noarch #ExclusiveArch: %ix86 @@ -78,6 +81,7 @@ %setup -n xerces-%{xerces_version_cvs} %patch0 %patch1 +%patch3 -p1 -b .parsing #<<< #>>> %build @@ -87,6 +91,7 @@ TARGET_DIR=`pwd` CLASSPATH_ORIG="$CLASSPATH" LIB_GCJ="`ls %{_javadir}/libgcj-*.jar`" +export GC_MAXIMUM_HEAP_SIZE="134217728" #>>> delete binary file and files not needed function delBinaryFiles() { set +x ++++++ xerces-j2.spec ++++++ --- /var/tmp/diff_new_pack.r4kXxO/_old 2009-09-02 18:27:09.000000000 +0200 +++ /var/tmp/diff_new_pack.r4kXxO/_new 2009-09-02 18:27:09.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package xerces-j2 (Version 2.8.1) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,18 +26,20 @@ %define release 3jpp %define section free Version: 2.8.1 -Release: 198 +Release: 199 Summary: Java XML parser -License: The Apache Software License +License: Apache Software License .. Url: http://xml.apache.org/xerces2-j/ Group: Development/Libraries/Java Source0: Xerces-J-src.%{version}.tar.bz2 Source1: %{name}-version.sh Source2: %{name}-constants.sh Source3: Xerces-J-tools.%{version}.tar.bz2 -Patch0: %{name}-build.patch Patch1: java150_build.patch Patch2: %{name}-%{version}_new_unsupported_dom_methods.patch +#PATCH-FIX-UPSTREAM bnc#530717 +#http://svn.apache.org/viewvc?view=rev&revision=787352 +Patch3: xerces-j2-parsing.patch Provides: jaxp_parser_impl PreReq: update-alternatives /bin/ln # some build requirements removed to enable jpackage bootstrap. this is @@ -69,7 +71,7 @@ %package javadoc-impl -License: The Apache Software License +License: Apache Software License .. Summary: Javadoc for xerces-j2 implementation Group: Development/Libraries/Java PreReq: coreutils @@ -100,7 +102,7 @@ %package javadoc-apis -License: The Apache Software License +License: Apache Software License .. Summary: Javadoc for xerces-j2 apis Group: Development/Libraries/Java PreReq: coreutils @@ -130,8 +132,8 @@ %package javadoc-dom3 -License: The Apache Software License -Summary: Javadoc for xerces-j2 DOM3. +License: Apache Software License .. +Summary: Javadoc for xerces-j2 DOM3 Group: Development/Libraries/Java PreReq: coreutils @@ -160,8 +162,8 @@ %package javadoc-xni -License: The Apache Software License -Summary: Javadoc for xerces-j2 XNI. +License: Apache Software License .. +Summary: Javadoc for xerces-j2 XNI Group: Development/Libraries/Java PreReq: coreutils @@ -190,8 +192,8 @@ %package javadoc-other -License: The Apache Software License -Summary: Javadoc for other xerces-j2 components. +License: Apache Software License .. +Summary: Javadoc for other xerces-j2 components Group: Development/Libraries/Java PreReq: coreutils @@ -221,10 +223,10 @@ %package demo -License: The Apache Software License -Summary: Demonstration and sample files for xerces-j2. +License: Apache Software License .. +Summary: Demonstration and sample files for xerces-j2 Group: Development/Libraries/Java -Requires: %{name} = %{version}-%{release} +Requires: %{name} = %{version} %description demo Welcome to the future! Xerces2 is the next generation of high @@ -251,10 +253,10 @@ %package scripts -License: The Apache Software License -Summary: Additional utility scripts for xerces-j2. +License: Apache Software License .. +Summary: Additional utility scripts for xerces-j2 Group: Development/Libraries/Java -Requires: %{name} = %{version}-%{release} +Requires: %{name} = %{version} Requires: jpackage-utils >= 1.5 %description scripts @@ -282,7 +284,7 @@ %package xml-resolver -License: The Apache Software License +License: Apache Software License .. Summary: Resolver subproject of xml-commons Group: Development/Libraries/Java Requires: jpackage-utils >= 1.5 @@ -300,7 +302,7 @@ %package xml-apis -License: The Apache Software License +License: Apache Software License .. Summary: APIs subproject of xml-commons Group: Development/Libraries/Java Requires: jpackage-utils >= 1.5 @@ -325,19 +327,19 @@ %setup -q -n xerces-%{cvs_version} %setup -q -T -a 3 -D -n xerces-%{cvs_version} %setup -T -D -n xerces-%{cvs_version} -#%patch0 -p1 -b .build %patch1 -p1 %patch2 -p1 +%patch3 -p1 -b .parsing %build ## this uses the ant.jar provided by the xerces packages. Tough luck, # jpackage bootstrap has to start somewhere. It is not installed, # though. +export GC_MAXIMUM_HEAP_SIZE="134217728" sh build.sh jars sh build.sh javadocs %install -rm -rf $RPM_BUILD_ROOT # jars mkdir -p $RPM_BUILD_ROOT%{_javadir} cp -p build/xercesImpl.jar $RPM_BUILD_ROOT%{_javadir}/%{name}-%{version}.jar @@ -388,26 +390,6 @@ %clean rm -rf $RPM_BUILD_ROOT -%post javadoc-apis -rm -f %{_javadocdir}/%{name}-apis -ln -s %{name}-apis-%{version} %{_javadocdir}/%{name}-apis - -%post javadoc-dom3 -rm -f %{_javadocdir}/%{name}-dom3 -ln -s %{name}-dom3-%{version} %{_javadocdir}/%{name}-dom3 - -%post javadoc-impl -rm -f %{_javadocdir}/%{name}-impl -ln -s %{name}-impl-%{version} %{_javadocdir}/%{name}-impl - -%post javadoc-other -rm -f %{_javadocdir}/%{name}-other -ln -s %{name}-other-%{version} %{_javadocdir}/%{name}-other - -%post javadoc-xni -rm -f %{_javadocdir}/%{name}-xni -ln -s %{name}-xni-%{version} %{_javadocdir}/%{name}-xni - %post /usr/sbin/update-alternatives --install %{_javadir}/jaxp_parser_impl.jar jaxp_parser_impl %{_javadir}/%{name}.jar 23 /usr/sbin/update-alternatives --auto jaxp_parser_impl @@ -460,27 +442,27 @@ %files javadoc-impl %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-impl-%{version} -%ghost %doc %{_javadocdir}/%{name}-impl +%doc %{_javadocdir}/%{name}-impl %files javadoc-apis %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-apis-%{version} -%ghost %doc %{_javadocdir}/%{name}-apis +%doc %{_javadocdir}/%{name}-apis %files javadoc-dom3 %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-dom-%{version} -%ghost %doc %{_javadocdir}/%{name}-dom +%doc %{_javadocdir}/%{name}-dom %files javadoc-other %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-other-%{version} -%ghost %doc %{_javadocdir}/%{name}-other +%doc %{_javadocdir}/%{name}-other %files javadoc-xni %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-xni-%{version} -%ghost %doc %{_javadocdir}/%{name}-xni +%doc %{_javadocdir}/%{name}-xni %files demo %defattr(0644,root,root,0755) ++++++ xerces-j2-parsing.patch ++++++ Index: xerces-2_8_1/src/org/apache/xerces/impl/XMLScanner.java =================================================================== --- xerces-2_8_1.orig/src/org/apache/xerces/impl/XMLScanner.java 2006-09-14 03:23:36.000000000 +0200 +++ xerces-2_8_1/src/org/apache/xerces/impl/XMLScanner.java 2009-08-17 12:02:22.811296491 +0200 @@ -1026,6 +1026,14 @@ if (XMLChar.isMarkup(c) || c == ']') { fStringBuffer.append((char)fEntityScanner.scanChar()); } + else if (XMLChar.isHighSurrogate(c)) { + scanSurrogates(fStringBuffer); + } + else if (isInvalidLiteral(c)) { + reportFatalError("InvalidCharInSystemID", + new Object[] { Integer.toHexString(c) }); + fEntityScanner.scanChar(); + } } while (fEntityScanner.scanLiteral(quote, ident) != quote); fStringBuffer.append(ident); ident = fStringBuffer; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org