packages/fop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-28168

Browse Source 
(cherry picked from commit 050a614ffe3fdb09d29ef06b5bc626188d900c5d)
This commit is contained in:
starlet-dx 2024-10-10 10:20:39 +08:00 committed by openeuler-sync-bot
parent d30463a174
commit 36772a98da
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
backport-CVE-2024-28168.patch Normal file
View File

@ -0,0 +1,29 @@
From d96ba9a11710d02716b6f4f6107ebfa9ccec7134 Mon Sep 17 00:00:00 2001
From: Simon Steiner <ssteiner@apache.org>
Date: Tue, 5 Mar 2024 11:28:18 +0000
Subject: [PATCH] FOP-3168: Add secure processing for XSL input
---
fop-core/src/main/java/org/apache/fop/cli/InputHandler.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
index 6d99bbe40f5..fb72762e91b 100644
--- a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
+++ b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
@@ -26,6 +26,7 @@
import java.lang.reflect.InvocationTargetException;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.ErrorListener;
@@ -265,6 +266,7 @@ protected void transformTo(Result result) throws FOPException {
try {
// Setup XSLT
TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer;
Source xsltSource = createXSLTSource();

8
fop.spec
View File

@ -1,6 +1,6 @@
Name: fop Name: fop
Version: 2.2 Version: 2.2
Release: 8 Release: 9
Summary: Formatter for printing XSL-driven XML Files Summary: Formatter for printing XSL-driven XML Files
License: BSD and Apache-2.0 and MIT and Apache-1.1 License: BSD and Apache-2.0 and MIT and Apache-1.1
URL: https://xmlgraphics.apache.org/fop URL: https://xmlgraphics.apache.org/fop
@ -16,6 +16,9 @@ Patch0003: Allow-javascript-in-javadoc.patch
Patch0004: Non-free-colour-profile-was-removed.patch Patch0004: Non-free-colour-profile-was-removed.patch
Patch0005: Update-to-newer-batik.patch Patch0005: Update-to-newer-batik.patch
Patch0006: Remove-the-mif-parameter-in-the-help-message.patch Patch0006: Remove-the-mif-parameter-in-the-help-message.patch
Patch3000: backport-CVE-2024-28168.patch
BuildRequires: ant apache-commons-io apache-commons-logging avalon-framework BuildRequires: ant apache-commons-io apache-commons-logging avalon-framework
BuildRequires: batik fontbox javapackages-local junit qdox servlet BuildRequires: batik fontbox javapackages-local junit qdox servlet
BuildRequires: xmlunit xmlgraphics-commons >= 1.5 BuildRequires: xmlunit xmlgraphics-commons >= 1.5
@ -84,6 +87,9 @@ install -D -p -m 644 %{SOURCE4} %{buildroot}%{_mavenpomdir}/JPP-%{name}.pom
%changelog %changelog
* Thu Oct 10 2024 yaoxin <yao_xin001@hoperun.com> - 2.2-9
- Fix CVE-2024-28168
* Sat Sep 16 2023 liyanan <thistleslyn@163.com> - 2.2-8 * Sat Sep 16 2023 liyanan <thistleslyn@163.com> - 2.2-8
- Remove the mif parameter in the help message - Remove the mif parameter in the help message