Fix possible denial of service attack on untrusted input

- Resolves: rhbz#2316397

0001-CVE-2024-47554-Better-regular-expression.patch

@@ -0,0 +1,35 @@
+From b26442018a67f4167aebd27c1f372ea4f7f35b45 Mon Sep 17 00:00:00 2001
+From: Gary Gregory <garydgregory@gmail.com>
+Date: Mon, 24 Jul 2023 09:28:03 -0400
+Subject: [PATCH] CVE-2024-47554 Better regular expression
+
+---
+ .../org/apache/commons/io/input/XmlStreamReader.java     | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/apache/commons/io/input/XmlStreamReader.java b/src/main/java/org/apache/commons/io/input/XmlStreamReader.java
+index d5615004..d6b299e3 100644
+--- a/src/main/java/org/apache/commons/io/input/XmlStreamReader.java
++++ b/src/main/java/org/apache/commons/io/input/XmlStreamReader.java
+@@ -114,10 +114,17 @@ public class XmlStreamReader extends Reader {
+ 
+     /**
+      * Pattern capturing the encoding of the "xml" processing instruction.
++     * <p>
++     * See also the <a href="https://www.w3.org/TR/2008/REC-xml-20081126/#NT-EncName">XML specification</a>.
++     * </p>
+      */
+     public static final Pattern ENCODING_PATTERN = Pattern.compile(
+-            "<\\?xml.*encoding[\\s]*=[\\s]*((?:\".[^\"]*\")|(?:'.[^']*'))",
++    // @formatter:off
++            "^<\\?xml\\s+"
++            + "version\\s*=\\s*(?:(?:\"1\\.[0-9]+\")|(?:'1.[0-9]+'))\\s+"
++            + "encoding\\s*=\\s*((?:\"[A-Za-z]([A-Za-z0-9\\._]|-)*\")|(?:'[A-Za-z]([A-Za-z0-9\\\\._]|-)*'))",
+             Pattern.MULTILINE);
++    // @formatter:on
+ 
+     private static final String RAW_EX_1 =
+         "Invalid encoding, BOM [{0}] XML guess [{1}] XML prolog [{2}] encoding mismatch";
+-- 
+2.46.2
+

apache-commons-io.spec

@@ -3,7 +3,7 @@
 Name:           apache-commons-io
 Epoch:          1
 Version:        2.11.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Utilities to assist with developing IO functionality
 License:        ASL 2.0
 URL:            https://commons.apache.org/io
@@ -12,6 +12,8 @@ ExclusiveArch:  %{java_arches} noarch
 
 Source0:        https://archive.apache.org/dist/commons/io/source/commons-io-%{version}-src.tar.gz
 
+Patch0:         0001-CVE-2024-47554-Better-regular-expression.patch
+
 %if %{with bootstrap}
 BuildRequires:  javapackages-bootstrap-openjdk8
 %else
@@ -32,6 +34,7 @@ to assist with developing IO functionality.
 
 %prep
 %setup -q -n commons-io-%{version}-src
+%patch 0 -p1
 sed -i 's/\r//' *.txt
 
 # Run tests in multiple reusable forks to improve test performance
@@ -72,6 +75,10 @@ sed -i '/DefaultLocale/d' src/test/java/org/apache/commons/io/input/XmlStreamRea
 %doc RELEASE-NOTES.txt
 
 %changelog
+* Fri Oct 04 2024 Mikolaj Izdebski <mizdebsk@redhat.com>
+- Fix possible denial of service attack on untrusted input
+- Resolves: rhbz#2316397
+
 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.11.0-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild