From e0c4e9227b61804bde210ff27bd2e5face37a385 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Sun, 24 Apr 2022 14:26:44 +0800
Subject: [PATCH] Fix CVE-2020-11988

(cherry picked from commit 1a0e583e01f087e43298b7d9714fcaebd8da43a2)
---
 CVE-2020-11988.patch     | 77 ++++++++++++++++++++++++++++++++++++++++
 xmlgraphics-commons.spec |  8 ++++-
 2 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-11988.patch

diff --git a/CVE-2020-11988.patch b/CVE-2020-11988.patch
new file mode 100644
index 0000000..dcabea3
--- /dev/null
+++ b/CVE-2020-11988.patch
@@ -0,0 +1,77 @@
+From 57393912eb87b994c7fed39ddf30fb778a275183 Mon Sep 17 00:00:00 2001
+From: Simon Steiner <ssteiner@apache.org>
+Date: Tue, 2 Jun 2020 13:18:41 +0000
+Subject: [PATCH] XGC-122: Dont load DTDs in XMP
+
+git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/commons/trunk@1878394 13f79535-47bb-0310-9956-ffa450edef68
+---
+ .../org/apache/xmlgraphics/xmp/XMPParser.java |  3 +++
+ .../xmlgraphics/xmp/XMPParserTestCase.java    | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+index 5e7d8b6..e907e89 100644
+--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
++++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+@@ -21,6 +21,7 @@
+ 
+ import java.net.URL;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+ import javax.xml.transform.TransformerException;
+@@ -54,6 +55,8 @@ public static Metadata parseXMP(URL url) throws TransformerException {
+      */
+     public static Metadata parseXMP(Source src) throws TransformerException {
+         TransformerFactory tFactory = TransformerFactory.newInstance();
++        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         Transformer transformer = tFactory.newTransformer();
+         XMPHandler handler = createXMPHandler();
+         SAXResult res = new SAXResult(handler);
+diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+index 6519de6..3250d08 100644
+--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
++++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+@@ -19,16 +19,21 @@
+ 
+ package org.apache.xmlgraphics.xmp;
+ 
++import java.io.StringReader;
+ import java.net.URL;
+ import java.util.Calendar;
+ import java.util.Date;
+ import java.util.TimeZone;
+ 
++import javax.xml.transform.TransformerException;
++import javax.xml.transform.stream.StreamSource;
++
+ import org.junit.Test;
+ 
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertNotNull;
+ import static org.junit.Assert.assertNull;
++import static org.junit.Assert.assertTrue;
+ 
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
+@@ -189,4 +194,18 @@ public void testParseEmptyValues() throws Exception {
+         assertNull(title); //Empty value treated same as not existant
+     }
+ 
++    @Test
++    public void testExternalDTD() {
++        String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
++                + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n"
++                + "<root></root>";
++        StreamSource streamSource = new StreamSource(new StringReader(payload));
++        String msg = "";
++        try {
++            XMPParser.parseXMP(streamSource);
++        } catch (TransformerException e) {
++            msg = e.getMessage();
++        }
++        assertTrue(msg, msg.contains("access is not allowed"));
++    }
+ }
diff --git a/xmlgraphics-commons.spec b/xmlgraphics-commons.spec
index 1ccc0f5..d3deffa 100644
--- a/xmlgraphics-commons.spec
+++ b/xmlgraphics-commons.spec
@@ -1,12 +1,15 @@
 Name:           xmlgraphics-commons
 Version:        2.2
-Release:        3
+Release:        4
 Summary:        A library that consists of several reusable components
 License:        ASL 2.0
 URL:            http://xmlgraphics.apache.org/
 Source0:        http://archive.apache.org/dist/xmlgraphics/commons/source/xmlgraphics-commons-%{version}-src.tar.gz
 BuildArch:      noarch
 
+#https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
+Patch0:         CVE-2020-11988.patch
+
 BuildRequires:  maven-local, mvn(commons-io:commons-io), mvn(commons-logging:commons-logging), mvn(junit:junit)
 BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin), mvn(org.mockito:mockito-core), mvn(xml-resolver:xml-resolver)
 Provides:       %{name}-javadoc%{?_isa} %{name}-javadoc
@@ -56,5 +59,8 @@ find -name "*.jar" -delete
 %{_javadocdir}/%{name}/*
 
 %changelog
+* Sun Apr 24 2022 yaoxin <yaoxin30@h-partners.com> - 2.2-4
+- Fix CVE-2020-11988
+
 * Fri Dec 6 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.2-3
 - Package init