fix CVE-2019-10172

(cherry picked from commit 55834bfb8c7ec62b9b799457466da7d03352dca6)

CVE-2019-10172-1.patch

@@ -0,0 +1,48 @@
+From 54c6bc36aa57741ea669ad110ce28acaa1600864 Mon Sep 17 00:00:00 2001
+From: PJ Fanning <pj.fanning@workday.com>
+Date: Fri, 1 Jul 2016 01:49:46 +0100
+Subject: [PATCH] Set Secure Processing flag on DocumentBuilderFactory
+
+---
+ .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 7 +++++++
+ .../codehaus/jackson/xc/DomElementJsonDeserializer.java    | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+index 50e6016c2..3a486b9e4 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+@@ -2,7 +2,9 @@
+ 
+ import java.io.StringReader;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
+ 
+ import org.codehaus.jackson.map.DeserializationContext;
+ import org.codehaus.jackson.map.deser.std.FromStringDeserializer;
+@@ -22,6 +24,11 @@
+         _parserFactory = DocumentBuilderFactory.newInstance();
+         // yup, only cave men do XML without recognizing namespaces...
+         _parserFactory.setNamespaceAware(true);
++        try {
++            _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++        } catch(ParserConfigurationException pce) {
++            System.err.println("[DOMDeserializer] Problem setting SECURE_PROCESSING_FEATURE: " + pce.toString());
++        }
+     }
+ 
+     protected DOMDeserializer(Class<T> cls) { super(cls); }
+diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+index cf9c073d9..ccd631aa3 100644
+--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+@@ -30,6 +30,7 @@ public DomElementJsonDeserializer()
+         try {
+             DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
+             bf.setNamespaceAware(true);
++            bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+             builder = bf.newDocumentBuilder();
+         } catch (ParserConfigurationException e) {
+             throw new RuntimeException();

CVE-2019-10172-2.patch

@@ -0,0 +1,39 @@
+From 2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 Mon Sep 17 00:00:00 2001
+From: PJ Fanning <pj.fanning@workday.com>
+Date: Fri, 1 Jul 2016 22:57:06 +0100
+Subject: [PATCH] setExpandEntityReferences(false)
+
+---
+ .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java     | 1 +
+ .../org/codehaus/jackson/xc/DomElementJsonDeserializer.java    | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+index 3a486b9e4..97f76af97 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+@@ -24,6 +24,7 @@
+         _parserFactory = DocumentBuilderFactory.newInstance();
+         // yup, only cave men do XML without recognizing namespaces...
+         _parserFactory.setNamespaceAware(true);
++        _parserFactory.setExpandEntityReferences(false);
+         try {
+             _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+         } catch(ParserConfigurationException pce) {
+diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+index ccd631aa3..8b1de578a 100644
+--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+@@ -30,10 +30,11 @@ public DomElementJsonDeserializer()
+         try {
+             DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
+             bf.setNamespaceAware(true);
++            bf.setExpandEntityReferences(false);
+             bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+             builder = bf.newDocumentBuilder();
+         } catch (ParserConfigurationException e) {
+-            throw new RuntimeException();
++            throw new RuntimeException("Problem creating DocumentBuilder: " + e.toString());
+         }
+     }
+ 

jackson.spec

@@ -1,6 +1,6 @@
 Name:          jackson
 Version:       1.9.11
-Release:       16
+Release:       17
 Summary:       Jackson Java JSON-processor
 License:       ASL2.0 and LGPLv2
 URL:           https://github.com/codehaus/jackson
@@ -9,6 +9,8 @@ Patch0001:     jackson-build-plain-jars-instead-of-osgi-bundles.patch
 Patch0002:     jackson-dont-require-repackaged-asm.patch
 Patch0003:     jackson-1.9.11-to-1.9.13.patch
 Patch0004:     jackson-1.9.11-javadoc.patch
+Patch0005:     CVE-2019-10172-1.patch
+Patch0006:     CVE-2019-10172-2.patch
 BuildArch:     noarch
 Requires:      joda-time >= 1.6.2 stax2-api >= 3.1.1 jsr-311 >= 1.1.1 objectweb-asm3 >= 3.3
 BuildRequires: javapackages-local ant >= 1.8.2 joda-time >= 1.6.2 stax2-api >= 3.1.1
@@ -69,6 +71,9 @@ ant dist
 %doc README.txt
 
 %changelog
+* Mon Sep 13 2021 yaoxin <yaoxin30@huawei.com> - 1.9.11-17
+- Fix CVE-2019-10172
+
 * Thu Feb 4 2021 wutao <wutao61@huawei.com> - 1.9.11-16
 - drop groovy18 dependency