Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jdom2 for openSUSE:Factory checked in at 2021-06-29 22:43:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jdom2 (Old) and /work/SRC/openSUSE:Factory/.jdom2.new.2625 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "jdom2" Tue Jun 29 22:43:37 2021 rev:3 rq:903078 version:2.0.6 Changes: -------- --- /work/SRC/openSUSE:Factory/jdom2/jdom2.changes 2019-10-04 11:22:29.648933748 +0200 +++ /work/SRC/openSUSE:Factory/.jdom2.new.2625/jdom2.changes 2021-06-29 22:44:20.910959860 +0200 @@ -1,0 +2,8 @@ +Thu Jun 17 09:17:40 UTC 2021 - Pedro Monreal <pmonreal@suse.com> + +- Security fix: [bsc#1187446, CVE-2021-33813] + * XXE issue in SAXBuilder can cause a denial of service via + a crafted HTTP request +- Add jdom2-CVE-2021-33813.patch + +------------------------------------------------------------------- New: ---- jdom2-CVE-2021-33813.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jdom2.spec ++++++ --- /var/tmp/diff_new_pack.t0KLFg/_old 2021-06-29 22:44:21.326960408 +0200 +++ /var/tmp/diff_new_pack.t0KLFg/_new 2021-06-29 22:44:21.330960414 +0200 @@ -1,7 +1,7 @@ # # spec file for package jdom2 # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,6 +31,8 @@ # Disable gpg signatures # Process contrib and junit pom files Patch0: 0001-Adapt-build.patch +# PATCH-FIX-UPSTREAM bsc#1187446 CVE-2021-33813 Fix XXE issue in SAXBuilder +Patch1: jdom2-CVE-2021-33813.patch BuildRequires: ant BuildRequires: ant-junit BuildRequires: fdupes @@ -65,6 +67,7 @@ find -name '*.class' -delete %patch0 -p1 +%patch1 -p1 cp -p %{SOURCE1} maven/contrib.pom cp -p %{SOURCE2} maven/junit.pom @@ -74,11 +77,10 @@ # Unable to run coverage: use log4j12 but switch to log4j 2.x sed -i.coverage "s|coverage, jars|jars|" build.xml +%build mkdir lib build-jar-repository lib xerces-j2 xml-commons-apis jaxen junit isorelax xalan-j2 xalan-j2-serializer - -%build -ant -Dversion=%{version} -Dcompile.target=6 -Dcompile.source=6 -Dj2se.apidoc=%{_javadocdir}/java maven +%ant -Dversion=%{version} -Dcompile.target=6 -Dcompile.source=6 -Dj2se.apidoc=%{_javadocdir}/java maven %install # jar ++++++ jdom2-CVE-2021-33813.patch ++++++ From bd3ab78370098491911d7fe9d7a43b97144a234e Mon Sep 17 00:00:00 2001 From: Esti <esther.burs@gmail.com> Date: Thu, 18 Feb 2021 16:40:01 +0200 Subject: [PATCH] fix setFeature bug and add test case --- core/src/java/org/jdom2/input/SAXBuilder.java | 10 ++++------ .../test/cases/input/TestSAXBuilder.java | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java b/core/src/java/org/jdom2/input/SAXBuilder.java index d7105ec6..a1462334 100644 --- a/core/src/java/org/jdom2/input/SAXBuilder.java +++ b/core/src/java/org/jdom2/input/SAXBuilder.java @@ -971,11 +971,6 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH } } - // Set any user-specified features on the parser. - for (final Map.Entry<String, Boolean> me : features.entrySet()) { - internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey()); - } - // Set any user-specified properties on the parser. for (final Map.Entry<String, Object> me : properties.entrySet()) { internalSetProperty(parser, me.getKey(), me.getValue(), me.getKey()); @@ -1007,7 +1002,10 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH // No lexical reporting available } } - + // Set any user-specified features on the parser. + for (final Map.Entry<String, Boolean> me : features.entrySet()) { + internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey()); + } } /** diff --git a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java index 4ef34834..a69380ba 100644 --- a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java +++ b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java @@ -600,6 +600,26 @@ public void testSetFeature() { } } + @Test + public void testSetExternalFeature() { + String feature = "http://xml.org/sax/features/external-general-entities"; + MySAXBuilder sb = new MySAXBuilder(); + try { + sb.setFeature(feature, true); + XMLReader reader = sb.createParser(); + assertNotNull(reader); + assertTrue(reader.getFeature(feature)); + sb.setFeature(feature, false); + reader = sb.createParser(); + assertNotNull(reader); + assertFalse(reader.getFeature(feature)); + + } catch (Exception e) { + e.printStackTrace(); + fail("Could not create parser: " + e.getMessage()); + } + } + @Test public void testSetProperty() { LexicalHandler lh = new LexicalHandler() {