From d00ffcce1cf2cc8aa0480a2c29cfaab1b4adae61 Mon Sep 17 00:00:00 2001
From: jialei <jialei17@huawei.com>
Date: Mon, 7 Dec 2020 18:21:42 +0800
Subject: [PATCH] deal CVE-2016-7051

---
 CVE-2016-7051.patch         | 39 +++++++++++++++++++++++++++++++++++++
 jackson-dataformat-xml.spec | 10 ++++++++--
 2 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2016-7051.patch

diff --git a/CVE-2016-7051.patch b/CVE-2016-7051.patch
new file mode 100644
index 0000000..9379a26
--- /dev/null
+++ b/CVE-2016-7051.patch
@@ -0,0 +1,39 @@
+From eeff2c312e9d4caa8c9f27b8f740c7529d00524a Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Mon, 26 Sep 2016 20:11:18 -0700
+Subject: [PATCH] prepare for 2.7.8
+
+---
+ .../xml/failing/SupportDTDDefaultsTest.java   | 23 +++++++++++++++++++
+ 1 files changed, 23 insertions(+)
+ create mode 100644 src/test/java/com/fasterxml/jackson/dataformat/xml/failing/SupportDTDDefaultsTest.java
+
+diff --git a/src/test/java/com/fasterxml/jackson/dataformat/xml/failing/SupportDTDDefaultsTest.java b/src/test/java/com/fasterxml/jackson/dataformat/xml/failing/SupportDTDDefaultsTest.java
+new file mode 100644
+index 00000000..b28c68c0
+--- /dev/null
++++ b/src/test/java/com/fasterxml/jackson/dataformat/xml/failing/SupportDTDDefaultsTest.java
+@@ -0,0 +1,23 @@
++package com.fasterxml.jackson.dataformat.xml.failing;
++
++import java.util.Map;
++
++import com.fasterxml.jackson.dataformat.xml.*;
++
++// for [databind-xml#211]
++public class SupportDTDDefaultsTest extends XmlTestBase
++{
++    public void testDTDAttempt() throws Exception
++    {
++        XmlMapper mapper = new XmlMapper();
++        String XML = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE foo SYSTEM 'http://127.0.0.1:8001' [ ]>\n"
++                +"<foo/>";
++
++        try {
++            /*Map<String, String> info =*/ mapper.readValue(XML, Map.class);
++            //At this point a GET request would have been sent to localhost:8001. You will see a Connection Refused in case you don't have a server listening there.
++        } catch (Exception e){
++            fail("Should not try to resolve external DTD subset: "+e);
++        }
++    }
++}
diff --git a/jackson-dataformat-xml.spec b/jackson-dataformat-xml.spec
index b4051c4..e86955e 100644
--- a/jackson-dataformat-xml.spec
+++ b/jackson-dataformat-xml.spec
@@ -1,10 +1,13 @@
 Name:                jackson-dataformat-xml
 Version:             2.9.8
-Release:             1
+Release:             2
 Summary:             Jackson extension component for reading and writing XML encoded data
 License:             ASL 2.0
 URL:                 https://github.com/FasterXML/jackson-dataformat-xml
 Source0:             https://github.com/FasterXML/jackson-dataformat-xml/archive/%{name}-%{version}.tar.gz
+
+Patch0000:           CVE-2016-7051.patch
+
 BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-databind) >= %{version}
@@ -29,7 +32,7 @@ Summary:             Javadoc for %{name}
 This package contains API documentation for %{name}.
 
 %prep
-%setup -q -n %{name}-%{name}-%{version}
+%autosetup -n %{name}-%{name}-%{version} -p1
 cp -p src/main/resources/META-INF/LICENSE .
 cp -p src/main/resources/META-INF/NOTICE .
 sed -i 's/\r//' LICENSE NOTICE
@@ -50,5 +53,8 @@ sed -i 's/\r//' LICENSE NOTICE
 %license LICENSE NOTICE
 
 %changelog
+* Mon Dec 7 2020 jialei <jialei17@huawei.com> - 2.9.8-2
+- deal cve-2016-7051
+
 * Sat Aug 15 2020 Ge Wang <wangge20@huawei.com> - 2.9.8-1
 - Package init
-- 
Gitee