From 0f87153540ca65566905343b30ba8de48fb2de74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C3=A9cureuil?= <neoclust@mageia.org>
Date: Mon, 19 Jul 2021 01:03:08 +0200
Subject: [PATCH 1/2] Add P100->102: Fixes CVE-2021-33813

---
 ...16957b59d305f04c7bdb26292852bcbc2eb5.patch | 36 ++++++++++
 ...b78370098491911d7fe9d7a43b97144a234e.patch | 69 +++++++++++++++++++
 ...3c2fc7893edd914954c73eb577f925a7d361.patch | 34 +++++++++
 jdom2.spec                                    | 13 ++++
 4 files changed, 152 insertions(+)
 create mode 100644 07f316957b59d305f04c7bdb26292852bcbc2eb5.patch
 create mode 100644 bd3ab78370098491911d7fe9d7a43b97144a234e.patch
 create mode 100644 dd4f3c2fc7893edd914954c73eb577f925a7d361.patch

diff --git a/07f316957b59d305f04c7bdb26292852bcbc2eb5.patch b/07f316957b59d305f04c7bdb26292852bcbc2eb5.patch
new file mode 100644
index 0000000..019a524
--- /dev/null
+++ b/07f316957b59d305f04c7bdb26292852bcbc2eb5.patch
@@ -0,0 +1,36 @@
+From 07f316957b59d305f04c7bdb26292852bcbc2eb5 Mon Sep 17 00:00:00 2001
+From: Rolf Lear <rolf@tuis.net>
+Date: Thu, 1 Jul 2021 23:56:47 -0400
+Subject: [PATCH] Update test case to ensure DTD handling is OK again. Related
+ #188. Related #189
+
+---
+ test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+index a69380ba..a35a1b90 100644
+--- a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
++++ b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+@@ -101,6 +101,7 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ import org.jdom2.DefaultJDOMFactory;
+ import org.jdom2.Document;
+ import org.jdom2.EntityRef;
++import org.jdom2.JDOMConstants;
+ import org.jdom2.JDOMException;
+ import org.jdom2.JDOMFactory;
+ import org.jdom2.UncheckedJDOMFactory;
+@@ -609,11 +610,12 @@ public void testSetExternalFeature() {
+ 			XMLReader reader = sb.createParser();
+ 			assertNotNull(reader);
+ 			assertTrue(reader.getFeature(feature));
++			assertNull(reader.getProperty(JDOMConstants.SAX_PROPERTY_DECLARATION_HANDLER));
+ 			sb.setFeature(feature, false);
+ 			reader = sb.createParser();
+ 			assertNotNull(reader);
+ 			assertFalse(reader.getFeature(feature));
+-
++			assertNotNull(reader.getProperty(JDOMConstants.SAX_PROPERTY_DECLARATION_HANDLER));
+ 		} catch (Exception e) {
+ 			e.printStackTrace();
+ 			fail("Could not create parser: " + e.getMessage());
diff --git a/bd3ab78370098491911d7fe9d7a43b97144a234e.patch b/bd3ab78370098491911d7fe9d7a43b97144a234e.patch
new file mode 100644
index 0000000..85e38a2
--- /dev/null
+++ b/bd3ab78370098491911d7fe9d7a43b97144a234e.patch
@@ -0,0 +1,69 @@
+From bd3ab78370098491911d7fe9d7a43b97144a234e Mon Sep 17 00:00:00 2001
+From: Esti <esther.burs@gmail.com>
+Date: Thu, 18 Feb 2021 16:40:01 +0200
+Subject: [PATCH] fix setFeature bug and add test case
+
+---
+ core/src/java/org/jdom2/input/SAXBuilder.java | 10 ++++------
+ .../test/cases/input/TestSAXBuilder.java      | 20 +++++++++++++++++++
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java b/core/src/java/org/jdom2/input/SAXBuilder.java
+index d7105ec6..a1462334 100644
+--- a/core/src/java/org/jdom2/input/SAXBuilder.java
++++ b/core/src/java/org/jdom2/input/SAXBuilder.java
+@@ -971,11 +971,6 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
+ 			}
+ 		}
+ 
+-		// Set any user-specified features on the parser.
+-		for (final Map.Entry<String, Boolean> me : features.entrySet()) {
+-			internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
+-		}
+-
+ 		// Set any user-specified properties on the parser.
+ 		for (final Map.Entry<String, Object> me : properties.entrySet()) {
+ 			internalSetProperty(parser, me.getKey(), me.getValue(), me.getKey());
+@@ -1007,7 +1002,10 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
+ 				// No lexical reporting available
+ 			}
+ 		}
+-
++		// Set any user-specified features on the parser.
++		for (final Map.Entry<String, Boolean> me : features.entrySet()) {
++			internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
++		}
+ 	}
+ 
+ 	/**
+diff --git a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+index 4ef34834..a69380ba 100644
+--- a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
++++ b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+@@ -600,6 +600,26 @@ public void testSetFeature() {
+ 		}
+ 	}
+ 
++	@Test
++	public void testSetExternalFeature() {
++		String feature = "http://xml.org/sax/features/external-general-entities";
++		MySAXBuilder sb = new MySAXBuilder();
++		try {
++			sb.setFeature(feature, true);
++			XMLReader reader = sb.createParser();
++			assertNotNull(reader);
++			assertTrue(reader.getFeature(feature));
++			sb.setFeature(feature, false);
++			reader = sb.createParser();
++			assertNotNull(reader);
++			assertFalse(reader.getFeature(feature));
++
++		} catch (Exception e) {
++			e.printStackTrace();
++			fail("Could not create parser: " + e.getMessage());
++		}
++	}
++
+ 	@Test
+ 	public void testSetProperty() {
+ 		LexicalHandler lh = new LexicalHandler() {
diff --git a/dd4f3c2fc7893edd914954c73eb577f925a7d361.patch b/dd4f3c2fc7893edd914954c73eb577f925a7d361.patch
new file mode 100644
index 0000000..06ac749
--- /dev/null
+++ b/dd4f3c2fc7893edd914954c73eb577f925a7d361.patch
@@ -0,0 +1,34 @@
+From dd4f3c2fc7893edd914954c73eb577f925a7d361 Mon Sep 17 00:00:00 2001
+From: Rolf Lear <rolf@tuis.net>
+Date: Thu, 1 Jul 2021 23:42:05 -0400
+Subject: [PATCH] Addresses #189 - synchronizes external entity expansion
+ setting
+
+---
+ core/src/java/org/jdom2/input/SAXBuilder.java | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java b/core/src/java/org/jdom2/input/SAXBuilder.java
+index a1462334..514b026d 100644
+--- a/core/src/java/org/jdom2/input/SAXBuilder.java
++++ b/core/src/java/org/jdom2/input/SAXBuilder.java
+@@ -82,6 +82,7 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ import org.jdom2.DocType;
+ import org.jdom2.Document;
+ import org.jdom2.EntityRef;
++import org.jdom2.JDOMConstants;
+ import org.jdom2.JDOMException;
+ import org.jdom2.JDOMFactory;
+ import org.jdom2.Verifier;
+@@ -797,6 +798,11 @@ public void setFastReconfigure(final boolean fastReconfigure) {
+ 	public void setFeature(final String name, final boolean value) {
+ 		// Save the specified feature for later.
+ 		features.put(name, value ? Boolean.TRUE : Boolean.FALSE);
++		if (JDOMConstants.SAX_FEATURE_EXTERNAL_ENT.equals(name)) {
++			// See issue https://github.com/hunterhacker/jdom/issues/189
++			// And PR https://github.com/hunterhacker/jdom/pull/188
++			setExpandEntities(value);
++		}
+ 		engine = null;
+ 	}
+ 
diff --git a/jdom2.spec b/jdom2.spec
index 2f6239a..f670767 100644
--- a/jdom2.spec
+++ b/jdom2.spec
@@ -17,6 +17,15 @@ Source4:       generate-tarball.sh
 # Process contrib and junit pom files
 Patch0:        0001-Adapt-build.patch
 
+#
+# Security patches
+# P100 -> ...
+#
+# CVE-2021-33813
+Patch100:      bd3ab78370098491911d7fe9d7a43b97144a234e.patch
+Patch101:      dd4f3c2fc7893edd914954c73eb577f925a7d361.patch
+Patch102:      07f316957b59d305f04c7bdb26292852bcbc2eb5.patch
+
 BuildRequires: javapackages-local
 %if %{with bootstrap}
 BuildRequires:  javapackages-bootstrap
@@ -49,6 +58,10 @@ This package contains javadoc for %{name}.
 
 %patch0 -p1
 
+%patch100 -p1
+%patch101 -p1
+%patch102 -p1
+
 sed -i 's/\r//' LICENSE.txt README.txt
 
 # Unable to run coverage: use log4j12 but switch to log4j 2.x

From 45572eb31f1535f27efcd8e625d6dedf1c03823a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C3=A9cureuil?= <neoclust@mageia.org>
Date: Tue, 20 Jul 2021 14:54:04 +0200
Subject: [PATCH 2/2] Bump release

---
 jdom2.spec | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/jdom2.spec b/jdom2.spec
index f670767..3efa97c 100644
--- a/jdom2.spec
+++ b/jdom2.spec
@@ -2,7 +2,7 @@
 
 Name:          jdom2
 Version:       2.0.6
-Release:       22%{?dist}
+Release:       23%{?dist}
 Summary:       Java manipulation of XML made easy
 License:       Saxpath
 URL:           http://www.jdom.org/
@@ -93,6 +93,10 @@ mkdir lib
 %license LICENSE.txt
 
 %changelog
+* Tue Jul 20 2021 Nicolas Lécureuil <neoclust@mageia.org> - 2.0.6-23
+- Bootstrap build
+- Non-bootstrap build
+
 * Mon May 17 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.0.6-22
 - Bootstrap build
 - Non-bootstrap build