[AUTO-CHERRYPICK] CVE-2022-34169: docbook-style-xsl - upgrade embedded xalan jar from 2.7.2 to 2.7.3 (fasttrrack/2.0) - branch main (#9308)

Co-authored-by: bfjelds <bfjelds@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json

@@ -1,5 +1,6 @@
 {
  "Signatures": {
-  "docbook-xsl-1.79.1.tar.bz2": "725f452e12b296956e8bfb876ccece71eeecdd14b94f667f3ed9091761a4a968"
+  "docbook-xsl-1.79.1.tar.bz2": "725f452e12b296956e8bfb876ccece71eeecdd14b94f667f3ed9091761a4a968",
+  "xalan-j_2_7_3-bin.tar.gz": "c3a36e027f91acbec3f2139343a4798a943f8b2957aab1cfb2eb57f4aeadccbc"  
  }
 }

SPECS/docbook-style-xsl/docbook-style-xsl.spec

@@ -1,13 +1,15 @@
 Summary:        Docbook-xsl-1.79.1
 Name:           docbook-style-xsl
 Version:        1.79.1
-Release:        13%{?dist}
-License:        ASL 2.0
+Release:        14%{?dist}
+License:        DMIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Tools
 URL:            https://www.docbook.org
 Source0:        http://downloads.sourceforge.net/docbook/docbook-xsl-%{version}.tar.bz2
+# CVE-2022-34169: xalan 2.7.2 has security issue that is solved in 2.7.3
+Source1:        https://dlcdn.apache.org/xalan/xalan-j/binaries/xalan-j_2_7_3-bin.tar.gz
 BuildRequires:  libxml2
 BuildRequires:  zip
 Requires:       docbook-dtd-xml
@@ -24,6 +26,12 @@ allowing you to utilize transformations already written for that standard.
 
 %prep
 %setup -q -n docbook-xsl-%{version}
+# CVE-2022-34169: xalan 2.7.2 has security issue that is solved by 2.7.3,
+# so replace the embedded jar files in docbook-xsl release before continuing
+mkdir ./CVE-2022-34169
+tar -xf %{SOURCE1} -C ./CVE-2022-34169
+mv ./CVE-2022-34169/xalan-j_2_7_3/*.jar ./tools/lib/.
+rm -rf ./CVE-2022-34169
 
 %build
 zip -d tools/lib/jython.jar Lib/distutils/command/wininst-6.exe
@@ -102,6 +110,10 @@ fi
 %{_docdir}/*
 
 %changelog
+* Mon Jun 03 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.79.1-14
+- Fix CVE-2022-34169 by using newer release of xalan
+- License should be DMIT. License verified
+
 * Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.79.1-10
 - Added %%license line automatically
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -197,7 +197,7 @@ createrepo_c-0.17.5-1.cm2.aarch64.rpm
 libxml2-2.10.4-3.cm2.aarch64.rpm
 libxml2-devel-2.10.4-3.cm2.aarch64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
-docbook-style-xsl-1.79.1-13.cm2.noarch.rpm
+docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.aarch64.rpm
 glib-2.71.0-2.cm2.aarch64.rpm
 libltdl-2.4.6-8.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -197,7 +197,7 @@ createrepo_c-0.17.5-1.cm2.x86_64.rpm
 libxml2-2.10.4-3.cm2.x86_64.rpm
 libxml2-devel-2.10.4-3.cm2.x86_64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
-docbook-style-xsl-1.79.1-13.cm2.noarch.rpm
+docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.x86_64.rpm
 glib-2.71.0-2.cm2.x86_64.rpm
 libltdl-2.4.6-8.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -56,7 +56,7 @@ debugedit-debuginfo-5.0-2.cm2.aarch64.rpm
 diffutils-3.8-2.cm2.aarch64.rpm
 diffutils-debuginfo-3.8-2.cm2.aarch64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
-docbook-style-xsl-1.79.1-13.cm2.noarch.rpm
+docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
 dwz-debuginfo-0.14-2.cm2.aarch64.rpm
 e2fsprogs-1.46.5-3.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -59,7 +59,7 @@ debugedit-debuginfo-5.0-2.cm2.x86_64.rpm
 diffutils-3.8-2.cm2.x86_64.rpm
 diffutils-debuginfo-3.8-2.cm2.x86_64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
-docbook-style-xsl-1.79.1-13.cm2.noarch.rpm
+docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
 dwz-debuginfo-0.14-2.cm2.x86_64.rpm
 e2fsprogs-1.46.5-3.cm2.x86_64.rpm