From 88cd734979f7b7e70a1744a5b98a8fec832c6d07 Mon Sep 17 00:00:00 2001
From: zhanghua1831 <zhanghua1831@163.com>
Date: Sat, 12 Dec 2020 17:22:23 +0800
Subject: [PATCH] fix CVE-2020-25649

---
 CVE-2020-25649.patch  | 28 ++++++++++++++++++++++++++++
 jackson-databind.spec |  7 ++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-25649.patch

diff --git a/CVE-2020-25649.patch b/CVE-2020-25649.patch
new file mode 100644
index 0000000..dbea40b
--- /dev/null
+++ b/CVE-2020-25649.patch
@@ -0,0 +1,28 @@
+From 612f971b78c60202e9cd75a299050c8f2d724a59 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 9 Jan 2020 19:22:07 -0800
+Subject: [PATCH] Fix #2589
+
+---
+ .../fasterxml/jackson/databind/ext/DOMDeserializer.java   | 8 ++++++++
+ 1 files changed, 8 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
+index 74bc18da7b..e7c72ff98d 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
++++ b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
+@@ -39,6 +39,14 @@
+             // 14-Jul-2016, tatu: Not sure how or why, but during code coverage runs
+             //   (via Cobertura) we get `java.lang.AbstractMethodError` so... ignore that too
+         }
++
++        // [databind#2589] add two more settings just in case
++        try {
++            parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++        } catch (Throwable t) { } // as per previous one, nothing much to do
++        try {
++            parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++        } catch (Throwable t) { } // as per previous one, nothing much to do
+         DEFAULT_PARSER_FACTORY = parserFactory;
+     }
+ 
diff --git a/jackson-databind.spec b/jackson-databind.spec
index 9fe06fc..2405a52 100644
--- a/jackson-databind.spec
+++ b/jackson-databind.spec
@@ -1,6 +1,6 @@
 Name:                jackson-databind
 Version:             2.9.8
-Release:             2
+Release:             3
 Summary:             General data-binding package for Jackson (2.x)
 License:             ASL 2.0 and LGPLv2+
 URL:                 https://github.com/FasterXML/jackson-databind/
@@ -37,6 +37,8 @@ Patch0028:           CVE-2020-14062.patch
 Patch0029:           CVE-2020-14195.patch
 Patch0030:           CVE-2020-24750.patch
 Patch0031:           CVE-2020-24616.patch
+Patch0032:           CVE-2020-25649.patch
+
 BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version}
@@ -88,6 +90,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
 %license LICENSE NOTICE
 
 %changelog
+* Sat Dec 12 2020 zhanghua <zhanghua40@huawei.com> - 2.9.8-3
+- fix CVE-2020-25649
+
 * Sat Sep 19 2020 wangxiao <wangxiao65@huawei.com> - 2.9.8-2
 - fix cves