!12 [sync] PR-8: Fix CVE-2021-33813

From: @openeuler-sync-bot 
Reviewed-by: @wangchong1995924 
Signed-off-by: @wangchong1995924

CVE-2021-33813-1.patch

@@ -0,0 +1,69 @@
+From bd3ab78370098491911d7fe9d7a43b97144a234e Mon Sep 17 00:00:00 2001
+From: Esti <esther.burs@gmail.com>
+Date: Thu, 18 Feb 2021 16:40:01 +0200
+Subject: [PATCH] fix setFeature bug and add test case
+
+---
+ core/src/java/org/jdom2/input/SAXBuilder.java | 10 ++++------
+ .../test/cases/input/TestSAXBuilder.java      | 20 +++++++++++++++++++
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java b/core/src/java/org/jdom2/input/SAXBuilder.java
+index d7105ec6..a1462334 100644
+--- a/core/src/java/org/jdom2/input/SAXBuilder.java
++++ b/core/src/java/org/jdom2/input/SAXBuilder.java
+@@ -971,11 +971,6 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
+ 			}
+ 		}
+ 
+-		// Set any user-specified features on the parser.
+-		for (final Map.Entry<String, Boolean> me : features.entrySet()) {
+-			internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
+-		}
+-
+ 		// Set any user-specified properties on the parser.
+ 		for (final Map.Entry<String, Object> me : properties.entrySet()) {
+ 			internalSetProperty(parser, me.getKey(), me.getValue(), me.getKey());
+@@ -1007,7 +1002,10 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
+ 				// No lexical reporting available
+ 			}
+ 		}
+-
++		// Set any user-specified features on the parser.
++		for (final Map.Entry<String, Boolean> me : features.entrySet()) {
++			internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
++		}
+ 	}
+ 
+ 	/**
+diff --git a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+index 4ef34834..a69380ba 100644
+--- a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
++++ b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+@@ -600,6 +600,26 @@ public void testSetFeature() {
+ 		}
+ 	}
+ 
++	@Test
++	public void testSetExternalFeature() {
++		String feature = "http://xml.org/sax/features/external-general-entities";
++		MySAXBuilder sb = new MySAXBuilder();
++		try {
++			sb.setFeature(feature, true);
++			XMLReader reader = sb.createParser();
++			assertNotNull(reader);
++			assertTrue(reader.getFeature(feature));
++			sb.setFeature(feature, false);
++			reader = sb.createParser();
++			assertNotNull(reader);
++			assertFalse(reader.getFeature(feature));
++
++		} catch (Exception e) {
++			e.printStackTrace();
++			fail("Could not create parser: " + e.getMessage());
++		}
++	}
++
+ 	@Test
+ 	public void testSetProperty() {
+ 		LexicalHandler lh = new LexicalHandler() {

CVE-2021-33813-2.patch

@@ -0,0 +1,34 @@
+From dd4f3c2fc7893edd914954c73eb577f925a7d361 Mon Sep 17 00:00:00 2001
+From: Rolf Lear <rolf@tuis.net>
+Date: Thu, 1 Jul 2021 23:42:05 -0400
+Subject: [PATCH] Addresses #189 - synchronizes external entity expansion
+ setting
+
+---
+ core/src/java/org/jdom2/input/SAXBuilder.java | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java b/core/src/java/org/jdom2/input/SAXBuilder.java
+index a1462334..514b026d 100644
+--- a/core/src/java/org/jdom2/input/SAXBuilder.java
++++ b/core/src/java/org/jdom2/input/SAXBuilder.java
+@@ -82,6 +82,7 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ import org.jdom2.DocType;
+ import org.jdom2.Document;
+ import org.jdom2.EntityRef;
++import org.jdom2.JDOMConstants;
+ import org.jdom2.JDOMException;
+ import org.jdom2.JDOMFactory;
+ import org.jdom2.Verifier;
+@@ -797,6 +798,11 @@ public void setFastReconfigure(final boolean fastReconfigure) {
+ 	public void setFeature(final String name, final boolean value) {
+ 		// Save the specified feature for later.
+ 		features.put(name, value ? Boolean.TRUE : Boolean.FALSE);
++		if (JDOMConstants.SAX_FEATURE_EXTERNAL_ENT.equals(name)) {
++			// See issue https://github.com/hunterhacker/jdom/issues/189
++			// And PR https://github.com/hunterhacker/jdom/pull/188
++			setExpandEntities(value);
++		}
+ 		engine = null;
+ 	}
+ 

jdom2.spec

@@ -1,6 +1,6 @@
 Name:          jdom2
 Version:       2.0.6
-Release:       14
+Release:       15
 Summary:       Classes representing the components of an XML document
 License:       Saxpath
 URL:           http://www.jdom.org/
@@ -10,6 +10,10 @@ Source1:       jdom-contrib-template.pom
 Source2:       jdom-junit-template.pom
 Source3:       bnd.properties
 Patch0001:     0001-Adapt-build.patch
+#https://github.com/hunterhacker/jdom/commit/bd3ab783700984919.patch
+Patch0002:     CVE-2021-33813-1.patch
+#https://github.com/hunterhacker/jdom/commit/dd4f3c2fc7893edd9.patch
+Patch0003:     CVE-2021-33813-2.patch
 BuildRequires: javapackages-local ant ant-junit isorelax jaxen xalan-j2 xerces-j2 xml-commons-apis log4j12 aqute-bnd
 
 %description
@@ -56,6 +60,9 @@ mv build/package/jdom-%{version}.bar build/package/jdom-%{version}.jar
 %doc CHANGES.txt COMMITTERS.txt README.txt TODO.txt
 
 %changelog
+* Wed Apr 20 2022 yaoxin <yaoxin30@h-partners.com> - 2.0.6-15
+- Fix CVE-2021-33813
+
 * Thu Dec 20 2020 gulining<gulining1@huawei.com> - 2.0.6-14
 - remove useless comment