!39 [sync] PR-33: Update to 1.17 for fix CVE-2022-38398,CVE-2022-38648,CVE-2022-40146,CVE-2022-44729 and CVE-2022-44730

From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

CVE-2019-17566.patch

@@ -1,116 +0,0 @@
-From bc6078ca949039e2076cd08b4cb169c84c1179b1 Mon Sep 17 00:00:00 2001
-From: Simon Steiner <ssteiner@apache.org>
-Date: Mon, 9 Dec 2019 12:24:18 +0000
-Subject: [PATCH] BATIK-1276: Allow blocking of external resources
-
-git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1871084 13f79535-47bb-0310-9956-ffa450edef68
----
- .../apache/batik/apps/rasterizer/Main.java    | 17 +++++++++++++++++
- .../batik/apps/rasterizer/SVGConverter.java   |  6 ++++++
- .../transcoder/SVGAbstractTranscoder.java     | 19 +++++++++++++++++++
- 3 files changed, 42 insertions(+)
-
-diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
-index c70b4dd691..a4248b527d 100644
---- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
-+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
-@@ -501,6 +501,12 @@ public Color parseARGB(String argbVal){
-     public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
-         = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
- 
-+    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
-+            = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
-+
-+    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
-+            = Messages.get("Main.cl.option.block.external.resources.description", "No description");
-+
-     /**
-      * Option to turn off secure execution of scripts
-      */
-@@ -829,6 +835,17 @@ public String getOptionDescription(){
-                               return CL_OPTION_SECURITY_OFF_DESCRIPTION;
-                           }
-                       });
-+
-+        optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
-+                new NoValueOptionHandler(){
-+                    public void handleOption(SVGConverter c){
-+                        c.allowExternalResources = false;
-+                    }
-+
-+                    public String getOptionDescription(){
-+                        return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
-+                    }
-+                });
-     }
- 
-     /**
-diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
-index 324c3abcfe..9ec2135458 100644
---- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
-+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
-@@ -253,6 +253,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
-         the document which references them. */
-     protected boolean constrainScriptOrigin = true;
- 
-+    protected boolean allowExternalResources = true;
-+
-     /** Controls whether scripts should be run securely or not */
-     protected boolean securityOff = false;
- 
-@@ -925,6 +927,10 @@ protected Map computeTranscodingHints(){
-             map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
-         }
- 
-+        if (!allowExternalResources) {
-+            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
-+        }
-+
-         return map;
-     }
- 
-diff --git a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
-index 65d983bfae..8d6ffe3b1f 100644
---- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
-+++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
-@@ -33,8 +33,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more
- import org.apache.batik.bridge.BridgeContext;
- import org.apache.batik.bridge.BridgeException;
- import org.apache.batik.bridge.DefaultScriptSecurity;
-+import org.apache.batik.bridge.ExternalResourceSecurity;
- import org.apache.batik.bridge.GVTBuilder;
- import org.apache.batik.bridge.NoLoadScriptSecurity;
-+import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
- import org.apache.batik.bridge.RelaxedScriptSecurity;
- import org.apache.batik.bridge.SVGUtilities;
- import org.apache.batik.bridge.ScriptSecurity;
-@@ -877,6 +879,9 @@ protected void setImageSize(float docWidth, float docHeight) {
-         = new BooleanKey();
- 
- 
-+    public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
-+            = new BooleanKey();
-+
-     /**
-      * A user agent implementation for <code>PrintTranscoder</code>.
-      */
-@@ -1109,5 +1114,19 @@ protected void computeAllowedScripts(){
-             }
-         }
- 
-+        public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
-+            if (isAllowExternalResources()) {
-+                return super.getExternalResourceSecurity(resourceURL, docURL);
-+            }
-+            return new NoLoadExternalResourceSecurity();
-+        }
-+
-+        public boolean isAllowExternalResources() {
-+            Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
-+            if (b != null) {
-+                return b;
-+            }
-+            return true;
-+        }
-     }
- }

batik.spec

@@ -1,20 +1,21 @@
-%global classpath batik:rhino:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons:jai_imageio
+%global classpath batik:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons
 Name:           batik
-Version:        1.10
+Version:        1.17
-Release:        4
+Release:        1
 Summary:        Batik is an inline templating engine for CoffeeScript
-License:        Apache-2.0 and W3C
+License:        Apache-2.0 and W3C and MPL-1.1 and GPL-2.0-or-later and Apache-1.1
 URL:            https://xmlgraphics.apache.org/batik/
 Source0:        http://archive.apache.org/dist/xmlgraphics/batik/source/batik-src-%{version}.zip
 Source1:        %{name}-security.policy
 
 Patch1:         0001-Fix-imageio-codec-lookup.patch
-Patch6000:      CVE-2019-17566.patch
 
 BuildArch:      noarch
 
 BuildRequires:  maven-local junit apache-parent rhino maven-assembly-plugin
 BuildRequires:  jython xalan-j2 xml-commons-apis maven-plugin-bundle xmlgraphics-commons
+BuildRequires:  maven-dependency-plugin
+Requires:       java-1.8.0-openjdk
 
 Recommends:     jai-imageio-core	
 
@@ -52,18 +53,13 @@ install -p %{SOURCE1} \
 install -p %{SOURCE1} \
 	batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy
 
-%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_inject \
+%pom_xpath_inject 'pom:dependency[pom:artifactId="xmlgraphics-commons"]' '<optional>true</optional>' batik-css
-	pom:dependency '<optional>true</optional>' batik-all
-%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_inject \
-	'pom:dependency[pom:artifactId="xmlgraphics-commons"]' '<optional>true</optional>' batik-css
 
 cp -a batik-i18n/src/main/java/org/apache/batik/i18n batik-util/src/main/java/org/apache/batik/
-
+%pom_remove_dep :batik-i18n batik-util
-%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_remove_dep :batik-i18n batik-util
 
 for pom in `find -mindepth 2 -name pom.xml -not -path ./batik-all/pom.xml`; do
-    %{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_add_plugin org.apache.felix:maven-bundle-plugin \
+    %pom_add_plugin org.apache.felix:maven-bundle-plugin $pom "
-    $pom "
         <extensions>true</extensions>
         <configuration>
             <instructions>
@@ -71,28 +67,43 @@ for pom in `find -mindepth 2 -name pom.xml -not -path ./batik-all/pom.xml`; do
             </instructions>
         </configuration>
     "
-    %{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_inject pom:project \
+    %pom_xpath_inject pom:project '<packaging>bundle</packaging>' $pom
-	'<packaging>bundle</packaging>' $pom
 done
 
-%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_set pom:Bundle-SymbolicName \
+%pom_xpath_set pom:Bundle-SymbolicName org.apache.batik.util.gui batik-gui-util
-	org.apache.batik.util.gui batik-gui-util
+%pom_disable_module batik-test-old
-%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_disable_module batik-test-old
 
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-squiggle squiggle
+%pom_remove_dep :rhino batik-{bridge,script}
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-squiggle-ext squiggle
+%pom_remove_dep :jython batik-script
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-svgpp svgpp
+rm -rf batik-script/src/main/java/org/apache/batik/script/{jpython,rhino}
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-ttf2svg ttf2svg
+rm batik-bridge/src/main/java/org/apache/batik/bridge/BatikWrapFactory.java
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-rasterizer rasterizer
+rm batik-bridge/src/main/java/org/apache/batik/bridge/SVG12RhinoInterpreter.java
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-rasterizer-ext rasterizer
+rm batik-bridge/src/main/java/org/apache/batik/bridge/RhinoInterpreter.java
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-slideshow slideshow
+rm batik-bridge/src/main/java/org/apache/batik/bridge/RhinoInterpreterFactory.java
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-css css
+rm batik-bridge/src/main/java/org/apache/batik/bridge/EventTargetWrapper.java
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py ':batik-test*' __noinstall
+rm batik-bridge/src/main/java/org/apache/batik/bridge/GlobalWrapper.java
+rm batik-bridge/src/main/java/org/apache/batik/bridge/WindowWrapper.java
 
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_file.py :batik-all batik-all
+%mvn_package :batik-squiggle squiggle
+%mvn_package :batik-squiggle-ext squiggle
+%mvn_package :batik-svgpp svgpp
+%mvn_package :batik-ttf2svg ttf2svg
+%mvn_package :batik-rasterizer rasterizer
+%mvn_package :batik-rasterizer-ext rasterizer
+%mvn_package :batik-slideshow slideshow
+%mvn_package :batik-css css
+%mvn_package :batik-constants util
+%mvn_package :batik-shared-resources util
+%mvn_package :batik-i18n util
+%mvn_package :batik-util util
+%mvn_package ':batik-test*' __noinstall
+
+%mvn_file :batik-all batik-all
+
+rm batik-script/src/main/java/org/apache/batik/script/jacl/JaclInterpreter.java
 
 %build
-%{_bindir}/python3 %{_datadir}/java-utils/mvn_build.py
+%mvn_build
 
 %install
 %mvn_install
@@ -121,6 +132,21 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/
 %doc CHANGES MAINTAIN README NOTICE
 
 %changelog
+* Thu Sep 07 2023 yaoxin <yao_xin001@hoperun.com> - 1.17-1
+- Update to 1.17 for fix CVE-2022-38398,CVE-2022-38648,CVE-2022-40146,CVE-2022-44729 and CVE-2022-44730
+
+* Fri Feb 3 2023 caodongxia <caodongxia@h-partners.com> - 1.10-8
+- Add install require java-1.8.0-openjdk
+
+* Wed Dec 28 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 1.10-7
+- Fix CVE-2022-41704 and CVE-2022-42890
+
+* Wed Mar 31 2021 lingsheng <lingsheng@huawei.com> - 1.10-6
+- Remove unneeded rhino and jai_imageio in classpath
+
+* Thu Mar 11 2021 wangyue <wangyue92@huawei.com> - 1.10-5
+- fix CVE-2020-11987
+
 * Mon Dec 07 2020 zhanghua <zhanghua40@huawei.com> - 1.10-4
 - fix CVE-2019-17566