diffstat for fop-1.1.dfsg fop-1.1.dfsg

 changelog                   |   31 ++++++++++++++++++++++++++++++-
 control                     |    7 ++++---
 patches/CVE-2017-5661.patch |   32 ++++++++++++++++++++++++++++++++
 patches/series              |    1 +
 rules                       |    2 +-
 5 files changed, 68 insertions(+), 5 deletions(-)

diff -Nru fop-1.1.dfsg/debian/changelog fop-1.1.dfsg/debian/changelog
--- fop-1.1.dfsg/debian/changelog	2013-05-16 08:49:59.000000000 +0000
+++ fop-1.1.dfsg/debian/changelog	2017-05-04 16:57:36.000000000 +0000
@@ -1,3 +1,21 @@
+fop (1:1.1.dfsg-2ubuntu1.1) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: SSRF through external DTD resolution
+    - debian/patches/CVE-2017-5661.patch: disable external DTD resolution
+      in src/java/org/apache/fop/cli/InputHandler.java,
+      src/java/org/apache/fop/servlet/FopServlet.java.
+    - Thanks to Debian for the patch backport.
+    - CVE-2017-5661
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 04 May 2017 12:56:32 -0400
+
+fop (1:1.1.dfsg-2ubuntu1) saucy; urgency=low
+
+  * Merge from Debian unstable.  Remaining changes:
+    -  Transition libservlet2.5-java -> libservlet3.0-java.
+
+ -- James Page <james.page@ubuntu.com>  Tue, 21 May 2013 12:21:26 +0100
+
 fop (1:1.1.dfsg-2) unstable; urgency=low
 
   * Upload to sid
@@ -23,6 +41,18 @@
 
  -- Mathieu Malaterre <malat@debian.org>  Sat, 03 Nov 2012 15:35:23 +0100
 
+fop (1:1.0.dfsg2-6ubuntu1) quantal; urgency=low
+
+  * Transition libservlet2.5-java -> libservlet3.0-java (LP: #1023405).
+
+ -- James Page <james.page@ubuntu.com>  Thu, 12 Jul 2012 15:13:49 +0100
+
+fop (1:1.0.dfsg2-6build1) quantal; urgency=low
+
+  * No-change rebuild with openjdk-7 as default-jdk.
+
+ -- James Page <james.page@ubuntu.com>  Fri, 18 May 2012 12:11:54 +0100
+
 fop (1:1.0.dfsg2-6) unstable; urgency=low
 
   [ Mathieu Malaterre ]
@@ -482,4 +512,3 @@
 
  -- Julio Maia <julio@pobox.com>  Fri, 17 Sep 1999 00:38:11 -0300
 
-
diff -Nru fop-1.1.dfsg/debian/control fop-1.1.dfsg/debian/control
--- fop-1.1.dfsg/debian/control	2013-05-16 08:40:07.000000000 +0000
+++ fop-1.1.dfsg/debian/control	2013-05-17 08:44:21.000000000 +0000
@@ -1,7 +1,8 @@
 Source: fop
 Section: text
 Priority: optional
-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
 Uploaders: Sylvestre Ledru <sylvestre@debian.org>,
            Torsten Werner <twerner@debian.org>,
            Mathieu Malaterre <malat@debian.org>,
@@ -11,7 +12,7 @@
  libavalon-framework-java (>= 4.1.2-2), libxalan2-java,
  libxerces2-java, default-jdk, libcommons-io-java, libxmlunit-java,
  libcommons-logging-java, junit, libxmlgraphics-commons-java (>= 1.5),
- libservlet2.5-java, libxml-commons-external-java, maven-repo-helper, libqdox-java (>= 1.12),
+ libservlet3.0-java, libxml-commons-external-java, maven-repo-helper, libqdox-java (>= 1.12),
  unzip
 Standards-Version: 3.9.4
 Homepage: http://xmlgraphics.apache.org/fop/
@@ -22,7 +23,7 @@
 Architecture: all
 Depends: ${misc:Depends}, default-jre-headless | java2-runtime-headless, libfop-java (= ${binary:Version})
 Recommends: libsaxon-java
-Suggests: fop-doc, libservlet2.5-java
+Suggests: fop-doc, libservlet3.0-java
 Description: XML formatter driven by XSL Formatting Objects (XSL-FO.)
  FOP is a Java application that reads a formatting object tree and then
  turns it into a wide variety of output presentations (including AFP,
diff -Nru fop-1.1.dfsg/debian/patches/CVE-2017-5661.patch fop-1.1.dfsg/debian/patches/CVE-2017-5661.patch
--- fop-1.1.dfsg/debian/patches/CVE-2017-5661.patch	1970-01-01 00:00:00.000000000 +0000
+++ fop-1.1.dfsg/debian/patches/CVE-2017-5661.patch	2017-05-04 16:56:29.000000000 +0000
@@ -0,0 +1,32 @@
+Description: fix for CVE-2017-5661
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1769967, http://svn.apache.org/viewvc?view=revision&revision=1769968
+Bug: https://issues.apache.org/jira/browse/FOP-2668
+Bug-Debian: https://bugs.debian.org/860567
+Reviewed-By: Antoine Beaupré
+Last-Update: 2017-04-26
+
+Index: fop-1.1.dfsg/src/java/org/apache/fop/cli/InputHandler.java
+===================================================================
+--- fop-1.1.dfsg.orig/src/java/org/apache/fop/cli/InputHandler.java	2017-05-04 12:56:26.055051440 -0400
++++ fop-1.1.dfsg/src/java/org/apache/fop/cli/InputHandler.java	2017-05-04 12:56:26.055051440 -0400
+@@ -259,6 +259,7 @@ public class InputHandler implements Err
+         SAXParserFactory spf = SAXParserFactory.newInstance();
+         spf.setFeature("http://xml.org/sax/features/namespaces", true);
+         spf.setFeature("http://apache.org/xml/features/xinclude", true);
++        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+         XMLReader xr = spf.newSAXParser().getXMLReader();
+         return xr;
+     }
+Index: fop-1.1.dfsg/src/java/org/apache/fop/servlet/FopServlet.java
+===================================================================
+--- fop-1.1.dfsg.orig/src/java/org/apache/fop/servlet/FopServlet.java	2017-05-04 12:56:26.055051440 -0400
++++ fop-1.1.dfsg/src/java/org/apache/fop/servlet/FopServlet.java	2017-05-04 12:56:26.055051440 -0400
+@@ -89,6 +89,8 @@ public class FopServlet extends HttpServ
+     public void init() throws ServletException {
+         this.uriResolver = new ServletContextURIResolver(getServletContext());
+         this.transFactory = TransformerFactory.newInstance();
++        transFactory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
++        transFactory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
+         this.transFactory.setURIResolver(this.uriResolver);
+         //Configure FopFactory as desired
+         this.fopFactory = FopFactory.newInstance();
diff -Nru fop-1.1.dfsg/debian/patches/series fop-1.1.dfsg/debian/patches/series
--- fop-1.1.dfsg/debian/patches/series	2012-11-03 14:37:46.000000000 +0000
+++ fop-1.1.dfsg/debian/patches/series	2017-05-04 16:56:24.000000000 +0000
@@ -1,2 +1,3 @@
 04_fixqdoxbuildfailure.patch
 fixbuildxml.patch
+CVE-2017-5661.patch
diff -Nru fop-1.1.dfsg/debian/rules fop-1.1.dfsg/debian/rules
--- fop-1.1.dfsg/debian/rules	2012-01-10 17:38:17.000000000 +0000
+++ fop-1.1.dfsg/debian/rules	2013-05-16 15:42:01.000000000 +0000
@@ -5,7 +5,7 @@
 include /usr/share/cdbs/1/class/ant.mk
 
 JAVA_HOME            := /usr/lib/jvm/default-java
-DEB_JARS             := batik-all xml-apis-ext batik-libs xml-apis avalon-framework xercesImpl xmlParserAPIs xalan2 junit commons-io commons-logging xmlgraphics-commons servlet-api-2.5 # ant-junit junit xmlunit
+DEB_JARS             := batik-all xml-apis-ext batik-libs xml-apis avalon-framework xercesImpl xmlParserAPIs xalan2 junit commons-io commons-logging xmlgraphics-commons servlet-api-3.0 # ant-junit junit xmlunit
 DEB_ANT_BUILD_TARGET := package javadocs #junit #docs
 DEB_ANT_CLEAN_TARGET := distclean
 DEB_ANT_ARGS := -verbose