!28 [sync] PR-25: Fix CVE-2024-28168

From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

Remove-the-mif-parameter-in-the-help-message.patch

@@ -0,0 +1,20 @@
+diff -Nur a/fop-core/src/main/java/org/apache/fop/cli/CommandLineOptions.java b/fop-core/src/main/java/org/apache/fop/cli/CommandLineOptions.java
+--- a/fop-core/src/main/java/org/apache/fop/cli/CommandLineOptions.java	2017-04-03 19:23:57.000000000 +0800
++++ b/fop-core/src/main/java/org/apache/fop/cli/CommandLineOptions.java	2023-09-16 09:21:10.478347745 +0800
+@@ -1183,7 +1183,7 @@
+     public static void printUsage(PrintStream out) {
+         out.println(
+               "\nUSAGE\nfop [options] [-fo|-xml] infile [-xsl file] "
+-                    + "[-awt|-pdf|-mif|-rtf|-tiff|-png|-pcl|-ps|-txt|-at [mime]|-print] <outfile>\n"
++                    + "[-awt|-pdf|-rtf|-tiff|-png|-pcl|-ps|-txt|-at [mime]|-print] <outfile>\n"
+             + " [OPTIONS]  \n"
+             + "  -version          print FOP version and exit\n"
+             + "  -x                dump configuration settings  \n"
+@@ -1274,7 +1274,6 @@
+             + "  fop -xml foo.xml -xsl foo.xsl -pdf foo.pdf\n"
+             + "  fop -xml foo.xml -xsl foo.xsl -foout foo.fo\n"
+             + "  fop -xml - -xsl foo.xsl -pdf -\n"
+-            + "  fop foo.fo -mif foo.mif\n"
+             + "  fop foo.fo -rtf foo.rtf\n"
+             + "  fop foo.fo -print\n"
+             + "  fop foo.fo -awt\n");

Update-to-newer-batik.patch

@@ -0,0 +1,27 @@
+From d5b0798c2b6bd1aa8c65e5c744beb5d5096d1e54 Mon Sep 17 00:00:00 2001
+From: Simon Steiner <ssteiner@apache.org>
+Date: Tue, 15 Jan 2019 14:18:05 +0000
+Subject: [PATCH] Update to newer batik
+
+git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/fop/trunk@1851362 13f79535-47bb-0310-9956-ffa450edef68
+
+Origin:
+https://github.com/apache/xmlgraphics-fop/commit/d5b0798c2b6bd1aa8c65e5c744beb5d5096d1e54
+---
+ .../java/org/apache/fop/svg/SVGUtilities.java |   2 +-
+ fop/lib/batik-all-1.11.0-SNAPSHOT.jar         | Bin 4292764 -> 4288813 bytes
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fop-core/src/main/java/org/apache/fop/svg/SVGUtilities.java b/fop-core/src/main/java/org/apache/fop/svg/SVGUtilities.java
+index d75aa209988..31d39d96efc 100644
+--- a/fop-core/src/main/java/org/apache/fop/svg/SVGUtilities.java
++++ b/fop-core/src/main/java/org/apache/fop/svg/SVGUtilities.java
+@@ -29,7 +29,7 @@
+ import org.w3c.dom.Element;
+ 
+ import org.apache.batik.anim.dom.SVGDOMImplementation;
+-import org.apache.batik.util.XMLConstants;
++import org.apache.batik.constants.XMLConstants;
+ 
+ /**
+  * Some utilities for creating svg DOM documents and elements.

backport-CVE-2024-28168.patch

@@ -0,0 +1,29 @@
+From d96ba9a11710d02716b6f4f6107ebfa9ccec7134 Mon Sep 17 00:00:00 2001
+From: Simon Steiner <ssteiner@apache.org>
+Date: Tue, 5 Mar 2024 11:28:18 +0000
+Subject: [PATCH] FOP-3168: Add secure processing for XSL input
+
+---
+ fop-core/src/main/java/org/apache/fop/cli/InputHandler.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
+index 6d99bbe40f5..fb72762e91b 100644
+--- a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
++++ b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
+@@ -26,6 +26,7 @@
+ import java.lang.reflect.InvocationTargetException;
+ import java.util.Vector;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.ParserConfigurationException;
+ import javax.xml.parsers.SAXParserFactory;
+ import javax.xml.transform.ErrorListener;
+@@ -265,6 +266,7 @@ protected void transformTo(Result result) throws FOPException {
+         try {
+             // Setup XSLT
+             TransformerFactory factory = TransformerFactory.newInstance();
++            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+             Transformer transformer;
+ 
+             Source xsltSource = createXSLTSource();

fop.spec

@@ -1,10 +1,10 @@
 Name:           fop
 Version:        2.2
-Release:        4
+Release:        9
 Summary:        Formatter for printing XSL-driven XML Files
-License:        ASL 2.0 and ASL 1.1
+License:        BSD and Apache-2.0 and MIT and Apache-1.1
 URL:            https://xmlgraphics.apache.org/fop
-Source0:        https://www.apache.org/dist/xmlgraphics/%{name}/source/%{name}-%{version}-src.tar.gz
+Source0:        https://archive.apache.org/dist/xmlgraphics/fop/source/%{name}-%{version}-src.tar.gz
 Source1:        https://www.apache.org/licenses/LICENSE-1.1.txt
 Source2:        batik-pdf-MANIFEST.MF
 Source3:        %{name}.script
@@ -14,6 +14,11 @@ Patch0001:      Disable-javadoc-doclint.patch
 Patch0002:      Port-to-QDox-2.0.patch
 Patch0003:      Allow-javascript-in-javadoc.patch
 Patch0004:      Non-free-colour-profile-was-removed.patch
+Patch0005:      Update-to-newer-batik.patch
+Patch0006:      Remove-the-mif-parameter-in-the-help-message.patch
+
+Patch3000:      backport-CVE-2024-28168.patch
+
 BuildRequires:  ant apache-commons-io apache-commons-logging avalon-framework
 BuildRequires:  batik fontbox javapackages-local junit qdox servlet
 BuildRequires:  xmlunit xmlgraphics-commons >= 1.5
@@ -82,5 +87,20 @@ install -D -p -m 644 %{SOURCE4} %{buildroot}%{_mavenpomdir}/JPP-%{name}.pom
 
 
 %changelog
+* Thu Oct 10 2024 yaoxin <yao_xin001@hoperun.com> - 2.2-9
+- Fix CVE-2024-28168
+
+* Sat Sep 16 2023 liyanan <thistleslyn@163.com> - 2.2-8
+- Remove the mif parameter in the help message
+
+* Fri Sep 08 2023 yaoxin <yao_xin001@hoperun.com> - 2.2-7
+- Fix build failure caused by batik upgrade to 1.17
+
+* Mon Nov 21 2022 xu_ping <xuping33@h-partners.com> - 2.2-6
+- Modify invalid source
+
+* Mon Jan 18 2021 caodongxia <caodongxia@huawei.com> - 2.2-5
+- Modify license information.
+
 * Tue Dec 10 2019 huyan <hu.huyan@huawei.com> - 2.2-4
 - Package Initialization