From e9e6176bd06e506f5c4106b37a35669b8417368a Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Oct 16 2019 21:53:49 +0000 Subject: update to version 2.7.2 --- diff --git a/.gitignore b/.gitignore index 25135ae..066bf79 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,14 @@ -xalan-j2-notarget.patch -xalan-j_2_7_0-src-RHsemiCLEAN.tar.gz -xalan-j_2_7_1-src.tar.gz +/results_* +/*.src.rpm + +/xalan-j2-notarget.patch +/xalan-j_2_7_0-src-RHsemiCLEAN.tar.gz +/xalan-j_2_7_1-src.tar.gz /serializer-2.7.1.pom /xalan-2.7.1.pom /xsltc-2.7.1.pom /xalan-j2-2.7.1.tar.gz +/xalan-j2-2.7.2.tar.gz +/xalan-2.7.2.pom +/serializer-2.7.2.pom +/xsltc-2.7.2.pom diff --git a/generate-tarball.sh b/generate-tarball.sh index bee814c..4bb8914 100755 --- a/generate-tarball.sh +++ b/generate-tarball.sh @@ -5,7 +5,7 @@ name=xalan-j2 version="$(sed -n 's/Version:\s*//p' *.spec)" # RETRIEVE -wget "http://archive.apache.org/dist/xml/xalan-j/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz" +wget "http://archive.apache.org/dist/xalan/xalan-j/source/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz" rm -rf tarball-tmp mkdir tarball-tmp diff --git a/sources b/sources index cfbfa6a..2c6d2e0 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (xalan-j2-2.7.1.tar.gz) = 695d3dd18974e0041a398774106ff2cf76435b1827e2c698036d6384cabbe8811e3045fb8ea115bf15f91136af1b56617cac647e06d25ced07b9e1e880714552 -SHA512 (xalan-2.7.1.pom) = 70ac6007b72674ddc861e73bd5c84732fefc71b7e60ed4030066d2ebc6367fa2ba4dda064b369544b70bd329a04e4b79c13e73f136710b2adf2a6616ce72bb03 -SHA512 (serializer-2.7.1.pom) = 910c397021681d4b3617a99cf5639e449bb8964c3ea81d3c03d0df1d6054c04ceb5ffcc9d0fd4201dfaa348fad4581449dd720d5a85b99c61b415c332dd4222c -SHA512 (xsltc-2.7.1.pom) = a4cc7c36ea6cb37ffde9cf1b5e661aa82803b12ed51dd6ade70d52d7f33d0191ee66d6a9d7688b1119dcafd07c4e0aa0af6cb3be355b6e8a30ee8e1f7e2aa94d +SHA512 (xalan-j2-2.7.2.tar.gz) = 8f03d3e8f239a1efe71b8b4e3830f21c35fdeda69465bec377f139718e0ce0e842dde3b3a9a8922d14d0d3ad91f731134c604d71bc66aeb26e78ab0cbb0776a6 +SHA512 (xalan-2.7.2.pom) = 4b95e3eb3a2ab262c9a27040a5214cfb8c49c36ece8e71a933074eb063205ef96deff351f017b034c9c97d43d77b020482aade7bc01e1245d8ee10a51269c5ce +SHA512 (serializer-2.7.2.pom) = 1a20cd7008ab876f9605a67515d558b26b9be009c4f49cb27ddf5aa715b5d164c476c236b6d6edf39e81538dfb1516271c3859af8e73f8cdbeee24efb45e9a44 +SHA512 (xsltc-2.7.2.pom) = 89c5c2cd358c32a9b8073869abdcb1df21a95c21a1a099c1b91f25ac3de7fdf9893977cb227efa4dad1de29773aaaef155155d1ec8648aae3c2e512154c200ef diff --git a/xalan-j2-CVE-2014-0107.patch b/xalan-j2-CVE-2014-0107.patch deleted file mode 100644 index 3358f60..0000000 --- a/xalan-j2-CVE-2014-0107.patch +++ /dev/null @@ -1,148 +0,0 @@ -diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java -index 1298943..96a5e58 100644 ---- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java -+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java -@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory - reader = XMLReaderFactory.createXMLReader(); - } - -+ if(m_isSecureProcessing) -+ { -+ reader.setFeature("http://xml.org/sax/features/external-general-entities",false); -+ } - // Need to set options! - reader.setContentHandler(handler); - reader.parse(isource); -diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java -index b946743..17b7395 100644 ---- a/src/org/apache/xalan/processor/XSLTElementProcessor.java -+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java -@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement - } - else - { -- // Can we switch the order here: -- -- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, -- attributes.getQName(i), attributes.getValue(i), -- target); -- -- // Now we only add the element if it passed a validation check -- if (success) -- processedDefs.add(attrDef); -- else -- errorDefs.add(attrDef); -+ //handle secure processing -+ if(handler.getStylesheetProcessor()==null) -+ System.out.println("stylesheet processor null"); -+ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing()) -+ { -+ //foreign attributes are not allowed in secure processing mode -+ // Then barf, because this element does not allow this attribute. -+ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\"" -+ //+ " attribute is not allowed on the " + rawName -+ // + " element!", null); -+ } -+ else -+ { -+ -+ -+ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, -+ attributes.getQName(i), attributes.getValue(i), -+ target); -+ -+ // Now we only add the element if it passed a validation check -+ if (success) -+ processedDefs.add(attrDef); -+ else -+ errorDefs.add(attrDef); -+ } - } - } - -diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java -index dd0d4d9..0906d24 100644 ---- a/src/org/apache/xalan/transformer/TransformerImpl.java -+++ b/src/org/apache/xalan/transformer/TransformerImpl.java -@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer - try - { - if (sroot.getExtensions() != null) -- m_extensionsTable = new ExtensionsTable(sroot); -+ //only load extensions if secureProcessing is disabled -+ if(!sroot.isSecureProcessing()) -+ m_extensionsTable = new ExtensionsTable(sroot); - } - catch (javax.xml.transform.TransformerException te) - {te.printStackTrace();} -diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java -index 4bea356..78ac980 100644 ---- a/src/org/apache/xpath/functions/FuncSystemProperty.java -+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java -@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg - - String fullName = m_arg0.execute(xctxt).str(); - int indexOfNSSep = fullName.indexOf(':'); -- String result; -+ String result = null; - String propName = ""; - - // List of properties where the name of the -@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg - - try - { -- result = System.getProperty(propName); -- -- if (null == result) -- { -- -- // result = System.getenv(propName); -- return XString.EMPTYSTRING; -- } -+ //if secure procession is enabled only handle required properties do not not map any valid system property -+ if(!xctxt.isSecureProcessing()) -+ { -+ result = System.getProperty(propName); -+ } -+ else -+ { -+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, -+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); -+ } -+ if (null == result) -+ { -+ return XString.EMPTYSTRING; -+ } - } - catch (SecurityException se) - { -@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg - { - try - { -- result = System.getProperty(fullName); -- -- if (null == result) -- { -- -- // result = System.getenv(fullName); -- return XString.EMPTYSTRING; -- } -+ //if secure procession is enabled only handle required properties do not not map any valid system property -+ if(!xctxt.isSecureProcessing()) -+ { -+ result = System.getProperty(fullName); -+ } -+ else -+ { -+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, -+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); -+ } -+ if (null == result) -+ { -+ return XString.EMPTYSTRING; -+ } - } - catch (SecurityException se) - { diff --git a/xalan-j2-MANIFEST.MF b/xalan-j2-MANIFEST.MF index f5d77cf..2947cce 100644 --- a/xalan-j2-MANIFEST.MF +++ b/xalan-j2-MANIFEST.MF @@ -5,48 +5,48 @@ Main-Class: org.apache.xalan.xslt.Process Bundle-ManifestVersion: 2 Bundle-Name: %Bundle-Name.0 Bundle-SymbolicName: org.apache.xalan -Bundle-Version: 2.7.1 +Bundle-Version: 2.7.2 Bundle-Vendor: %Bundle-Vendor.0 -Export-Package: org.apache.regexp;version="2.7.1", - org.apache.xalan;version="2.7.1", - org.apache.xalan.client;version="2.7.1", - org.apache.xalan.extensions;version="2.7.1", - org.apache.xalan.lib;version="2.7.1", - org.apache.xalan.lib.sql;version="2.7.1", - org.apache.xalan.processor;version="2.7.1", - org.apache.xalan.res;version="2.7.1", - org.apache.xalan.serialize;version="2.7.1", - org.apache.xalan.templates;version="2.7.1", - org.apache.xalan.trace;version="2.7.1", - org.apache.xalan.transformer;version="2.7.1", - org.apache.xalan.xslt;version="2.7.1", - org.apache.xalan.xsltc;version="2.7.1", - org.apache.xalan.xsltc.cmdline;version="2.7.1", - org.apache.xalan.xsltc.cmdline.getopt;version="2.7.1", - org.apache.xalan.xsltc.compiler;version="2.7.1", - org.apache.xalan.xsltc.compiler.util;version="2.7.1", - org.apache.xalan.xsltc.dom;version="2.7.1", - org.apache.xalan.xsltc.runtime;version="2.7.1", - org.apache.xalan.xsltc.runtime.output;version="2.7.1", - org.apache.xalan.xsltc.trax;version="2.7.1", - org.apache.xalan.xsltc.util;version="2.7.1", - org.apache.xml.dtm;version="2.7.1", - org.apache.xml.dtm.ref;version="2.7.1", - org.apache.xml.dtm.ref.dom2dtm;version="2.7.1", - org.apache.xml.dtm.ref.sax2dtm;version="2.7.1", - org.apache.xml.res;version="2.7.1", - org.apache.xml.utils;version="2.7.1", - org.apache.xml.utils.res;version="2.7.1", - org.apache.xpath;version="2.7.1", - org.apache.xpath.axes;version="2.7.1", - org.apache.xpath.compiler;version="2.7.1", - org.apache.xpath.domapi;version="2.7.1", - org.apache.xpath.functions;version="2.7.1", - org.apache.xpath.jaxp;version="2.7.1", - org.apache.xpath.objects;version="2.7.1", - org.apache.xpath.operations;version="2.7.1", - org.apache.xpath.patterns;version="2.7.1", - org.apache.xpath.res;version="2.7.1" +Export-Package: org.apache.regexp;version="2.7.2", + org.apache.xalan;version="2.7.2", + org.apache.xalan.client;version="2.7.2", + org.apache.xalan.extensions;version="2.7.2", + org.apache.xalan.lib;version="2.7.2", + org.apache.xalan.lib.sql;version="2.7.2", + org.apache.xalan.processor;version="2.7.2", + org.apache.xalan.res;version="2.7.2", + org.apache.xalan.serialize;version="2.7.2", + org.apache.xalan.templates;version="2.7.2", + org.apache.xalan.trace;version="2.7.2", + org.apache.xalan.transformer;version="2.7.2", + org.apache.xalan.xslt;version="2.7.2", + org.apache.xalan.xsltc;version="2.7.2", + org.apache.xalan.xsltc.cmdline;version="2.7.2", + org.apache.xalan.xsltc.cmdline.getopt;version="2.7.2", + org.apache.xalan.xsltc.compiler;version="2.7.2", + org.apache.xalan.xsltc.compiler.util;version="2.7.2", + org.apache.xalan.xsltc.dom;version="2.7.2", + org.apache.xalan.xsltc.runtime;version="2.7.2", + org.apache.xalan.xsltc.runtime.output;version="2.7.2", + org.apache.xalan.xsltc.trax;version="2.7.2", + org.apache.xalan.xsltc.util;version="2.7.2", + org.apache.xml.dtm;version="2.7.2", + org.apache.xml.dtm.ref;version="2.7.2", + org.apache.xml.dtm.ref.dom2dtm;version="2.7.2", + org.apache.xml.dtm.ref.sax2dtm;version="2.7.2", + org.apache.xml.res;version="2.7.2", + org.apache.xml.utils;version="2.7.2", + org.apache.xml.utils.res;version="2.7.2", + org.apache.xpath;version="2.7.2", + org.apache.xpath.axes;version="2.7.2", + org.apache.xpath.compiler;version="2.7.2", + org.apache.xpath.domapi;version="2.7.2", + org.apache.xpath.functions;version="2.7.2", + org.apache.xpath.jaxp;version="2.7.2", + org.apache.xpath.objects;version="2.7.2", + org.apache.xpath.operations;version="2.7.2", + org.apache.xpath.patterns;version="2.7.2", + org.apache.xpath.res;version="2.7.2" Require-Bundle: system.bundle, org.apache.xerces Eclipse-BuddyPolicy: registered @@ -56,20 +56,20 @@ Specification-Title: Java API for XML Processing Specification-Vendor: Sun Microsystems Inc. Specification-Version: 1.3 Implementation-Title: org.apache.xalan -Implementation-Version: 2.7.1 +Implementation-Version: 2.7.2 Implementation-Vendor: Apache Software Foundation Implementation-URL: http://xml.apache.org/xalan-j/dist/ Name: org/apache/xml/ Comment: DTM implementation and utilities Implementation-Title: org.apache.xml -Implementation-Version: 2.7.1 +Implementation-Version: 2.7.2 Implementation-Vendor: Apache Software Foundation Implementation-URL: http://xml.apache.org/xalan-j/dist/ Name: org/apache/xpath/ Comment: XPath engine Implementation-Title: org.apache.xpath -Implementation-Version: 2.7.1 +Implementation-Version: 2.7.2 Implementation-Vendor: Apache Software Foundation Implementation-URL: http://xml.apache.org/xalan-j/dist/ diff --git a/xalan-j2.spec b/xalan-j2.spec index 9f814af..85dcc78 100644 --- a/xalan-j2.spec +++ b/xalan-j2.spec @@ -28,11 +28,11 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # -%global cvs_version 2_7_1 +%global cvs_version 2_7_2 Name: xalan-j2 -Version: 2.7.1 -Release: 40%{?dist} +Version: 2.7.2 +Release: 1%{?dist} Epoch: 0 Summary: Java XSLT processor # src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C @@ -42,18 +42,14 @@ URL: http://xalan.apache.org/ # ./generate-tarball.sh Source0: %{name}-%{version}.tar.gz Source1: %{name}-serializer-MANIFEST.MF -Source2: http://repo1.maven.org/maven2/xalan/xalan/2.7.1/xalan-2.7.1.pom -Source3: http://repo1.maven.org/maven2/xalan/serializer/2.7.1/serializer-2.7.1.pom +Source2: http://repo1.maven.org/maven2/xalan/xalan/%{version}/xalan-%{version}.pom +Source3: http://repo1.maven.org/maven2/xalan/serializer/%{version}/serializer-%{version}.pom Source4: xsltc-%{version}.pom Source5: %{name}-MANIFEST.MF # Remove bundled binaries which cannot be easily verified for licensing Source6: generate-tarball.sh Patch0: %{name}-noxsltcdeps.patch -# Fix CVE-2014-0107: insufficient constraints in secure processing -# feature (oCERT-2014-002). Generated form upstream revisions 1581058 -# and 1581426. -Patch2: %{name}-CVE-2014-0107.patch BuildArch: noarch @@ -117,7 +113,6 @@ Demonstrations and samples for %{name}. %prep %setup -q -n xalan-j_%{cvs_version} %patch0 -p0 -%patch2 -p1 find . -name '*.jar' -delete find . -name '*.class' -delete @@ -210,6 +205,9 @@ mv %{_javadir}/jaxp_transform_impl.jar{.tmp,} || : %{_datadir}/%{name} %changelog +* Wed Oct 16 2019 Fabio Valentini - 0:2.7.2-1 +- Update to version 2.7.2. + * Sat Jul 27 2019 Fedora Release Engineering - 0:2.7.1-40 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild