Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tuxguitar for openSUSE:Factory 
checked in at 2023-10-12 23:41:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tuxguitar (Old)
 and      /work/SRC/openSUSE:Factory/.tuxguitar.new.1807 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tuxguitar"

Thu Oct 12 23:41:46 2023 rev:12 rq:1117171 version:1.6.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/tuxguitar/tuxguitar.changes      2023-10-12 
11:59:28.998649600 +0200
+++ /work/SRC/openSUSE:Factory/.tuxguitar.new.1807/tuxguitar.changes    
2023-10-12 23:43:08.691147007 +0200
@@ -1,0 +2,18 @@
+Thu Oct 12 06:49:30 UTC 2023 - Fridrich Å trba <fst...@suse.com>
+
+- Added patch:
+  * tuxguitar-CVE-2020-13940.patch
+    + fix bsc#1173633 (CVE-2020-14940): improper configuration of
+      XML parsers might lead to XXE while loading GP6 (.gpx) and
+      GP7 (.gp) tablature files
+
+-------------------------------------------------------------------
+Thu Oct 12 05:21:31 UTC 2023 - Fridrich Strba <fst...@suse.com>
+
+- Package also a sample tuxguitar.tg file
+- Modified patch:
+  * 0013-startscript.patch
+    + compose the CLASSPATH jar by jar, since wildcards are not
+      working for CLASSPATH variable
+
+-------------------------------------------------------------------

New:
----
  tuxguitar-CVE-2020-13940.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tuxguitar.spec ++++++
--- /var/tmp/diff_new_pack.bnqQmB/_old  2023-10-12 23:43:10.471211442 +0200
+++ /var/tmp/diff_new_pack.bnqQmB/_new  2023-10-12 23:43:10.475211587 +0200
@@ -65,6 +65,7 @@
 Patch20:        0012-default-soundfont.patch
 Patch21:        0013-startscript.patch
 Patch22:        0014-desktop.patch
+Patch30:        tuxguitar-CVE-2020-13940.patch
 BuildRequires:  alsa-devel
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
@@ -133,6 +134,8 @@
 %patch21 -p1
 %patch22 -p1
 
+%patch30 -p1
+
 %pom_xpath_remove "pom:profile[pom:id[text()='platform-windows-swt-all']]"
 %pom_xpath_remove "pom:profile[pom:id[text()='platform-macos-swt-cocoa-64']]"
 %pom_xpath_remove "pom:profile[pom:id[text()='platform-freebsd-swt-x86_64']]"
@@ -158,7 +161,7 @@
 
 # Launch script
 mkdir -p %{buildroot}/%{_bindir}
-cp -a build-scripts/common-resources/common-linux/tuxguitar.sh 
%{buildroot}/%{_bindir}/%{name}
+cat build-scripts/common-resources/common-linux/tuxguitar.sh | sed 
's#@LIBDIR@#%{_libdir}#g' > %{buildroot}/%{_bindir}/%{name}
 
 # Fix permissions
 chmod 755 %{buildroot}/%{_bindir}/%{name}
@@ -171,6 +174,7 @@
 # data files
 mkdir -p %{buildroot}/%{_datadir}/%{name}
 cp -a TuxGuitar/share/* %{buildroot}/%{_datadir}/%{name}
+cp -a misc/tuxguitar.tg %{buildroot}/%{_datadir}/%{name}
 cp -a 
build-scripts/%{name}-linux-swt-%{bit}/target/%{name}-%{version}-linux-swt-%{bit}/dist/*
 %{buildroot}/%{_datadir}/%{name}
 
 # desktop files

++++++ 0013-startscript.patch ++++++
--- /var/tmp/diff_new_pack.bnqQmB/_old  2023-10-12 23:43:10.527213470 +0200
+++ /var/tmp/diff_new_pack.bnqQmB/_new  2023-10-12 23:43:10.527213470 +0200
@@ -1,17 +1,17 @@
-From b135bbd92d7753b2ac94634c6248efe1cfd376e1 Mon Sep 17 00:00:00 2001
+From 4fb1777834e863a14cfb8ca1ab08c8d4a8a1651c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fridrich=20=C5=A0trba?= <fridrich.st...@bluewin.ch>
 Date: Tue, 10 Oct 2023 13:06:25 +0200
 Subject: [PATCH 13/14] startscript
 
 ---
- .../common-linux/tuxguitar.sh                 | 61 ++++++++++++++++---
- 1 file changed, 54 insertions(+), 7 deletions(-)
+ .../common-linux/tuxguitar.sh                 | 148 +++++++++++++++++-
+ 1 file changed, 141 insertions(+), 7 deletions(-)
 
 diff --git a/build-scripts/common-resources/common-linux/tuxguitar.sh 
b/build-scripts/common-resources/common-linux/tuxguitar.sh
-index a213786a..348848bb 100755
+index a213786a..62a895d1 100755
 --- a/build-scripts/common-resources/common-linux/tuxguitar.sh
 +++ b/build-scripts/common-resources/common-linux/tuxguitar.sh
-@@ -1,20 +1,67 @@
+@@ -1,20 +1,154 @@
  #!/bin/sh
 -##SCRIPT DIR
 -TG_DIR=`dirname $(realpath "$0")`
@@ -61,12 +61,99 @@
  JAVA=`which java`
  ##LIBRARY_PATH
 -LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:${TG_DIR}/lib/
-+LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/lib64/tuxguitar
++LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:@LIBDIR@/tuxguitar
  ##CLASSPATH
 -CLASSPATH=${CLASSPATH}:${TG_DIR}/lib/*
 -CLASSPATH=${CLASSPATH}:${TG_DIR}/share/
 -CLASSPATH=${CLASSPATH}:${TG_DIR}/dist/
-+CLASSPATH=/usr/share/java/tuxguitar/tuxguitar.jar:/usr/share/java/tuxguitar/*:
++PACKAGE=${PACKAGE:=tuxguitar}
++PACKAGE_HOME=${PACKAGE_HOME:=/usr/share/java/${PACKAGE}/}
++t="${PACKAGE_HOME}/${PACKAGE}.jar"
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-alsa.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-ascii.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-awt-graphics.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-browser-ftp.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-community.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-compat.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-converter.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-debug-helper.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-editor-utils.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-fluidsynth.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gervill.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gm-settings.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gm-utils.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gpx.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gtp.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gtp-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-image.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-jack.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-jack-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-jsa.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-lib.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-lilypond.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-lilypond-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-midi.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-midi-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-musicxml.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-pdf.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-pdf-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-ptb.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-svg.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth-export.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth-gervill.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth-lv2.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth-vst.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-tef.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-tray.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-tuner.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-ui-toolkit.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-ui-toolkit-swt.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-viewer.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/gervill.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
 +t=$(itext_pdf_guess_)
 +[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
 +t=$(itext_xmlworker_guess_)

++++++ tuxguitar-CVE-2020-13940.patch ++++++
>From bcaa280e93b0d67dc6f903b6e23a051a7894ba0c Mon Sep 17 00:00:00 2001
From: guiv42 <129443524+gui...@users.noreply.github.com>
Date: Tue, 10 Oct 2023 23:02:29 +0200
Subject: [PATCH] fix CVE-2020-14940

see:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14940
https://sourceforge.net/p/tuxguitar/bugs/126/
https://bugzilla.opensuse.org/show_bug.cgi?id=1173633
https://logicaltrust.net/blog/2020/06/tuxguitar.html
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Issue could be reproduced on Linux before the fix, as described by
sourceforge page listed above
note: needed to de-activate firewall to reproduce issue
Not all TuxGuitar files mentioned in this page have been modified, as some
of them do not parse input xml files. Then they should not be concerned by
vulnerability:
- TuxGuitar-musicxml/src/org/herac/tuxguitar/io/musicxml/MusicXMLWriter.java
- 
TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingWriter.java
- TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserWriter.java

note: protection does not seem to be supported on Android, so just try to
activate it, and ignore if it fails (or else Android version can no more
open .gp and .gpx files)
basically: this patch doesn't provide full coverage

also (independent from CVE):
GPXDocumentReader: removed warnings from deprecated Integer constructors
---
 .../community/browser/TGBrowserResponse.java  |  6 +++
 .../community/io/TGShareSongResponse.java     |  6 +++
 .../editor/template/TGTemplateReader.java     |  6 +++
 .../tuxguitar/io/gpx/GPXDocumentReader.java   | 38 +++++++++++--------
 .../keybindings/xml/KeyBindingReader.java     | 12 ++++++
 .../tools/browser/xml/TGBrowserReader.java    |  7 +++-
 .../app/tools/scale/xml/ScaleReader.java      |  7 +++-
 .../dialog/chord/xml/TGChordXMLReader.java    |  6 +++
 8 files changed, 71 insertions(+), 17 deletions(-)

diff --git 
a/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
 
b/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
index f82415584..d515446eb 100644
--- 
a/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
+++ 
b/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
@@ -35,6 +35,12 @@ public TGBrowserResponse( InputStream stream ) throws 
Throwable {
        
        private void initialize(InputStream stream) throws Throwable {
                DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
+               // CVE-2020-14940
+               try {
+                       
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+                       factory.setXIncludeAware(false);
+               } catch (Throwable throwable) {
+               }
                DocumentBuilder builder = factory.newDocumentBuilder();
                this.document = builder.parse(stream);
        }
diff --git 
a/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
 
b/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
index 67dbabb03..39c33bcaf 100644
--- 
a/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
+++ 
b/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
@@ -28,6 +28,12 @@ public TGShareSongResponse( InputStream stream ) throws 
Throwable {
        
        private void initialize(InputStream stream) throws Throwable {
                DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
+               // CVE-2020-14940
+               try {
+                       
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+                       factory.setXIncludeAware(false);
+               } catch (Throwable throwable) {
+               }
                DocumentBuilder builder = factory.newDocumentBuilder();
                this.document = builder.parse(stream);
        }
diff --git 
a/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
 
b/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
index 439eef348..24688b16d 100644
--- 
a/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
+++ 
b/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
@@ -51,6 +51,12 @@ private void loadTemplates(List<TGTemplate> templates,Node 
node) throws Throwabl
        private Document createDocument(InputStream stream) throws Throwable {
                Document document = null;
                DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
+               // CVE-2020-14940
+               try {
+                       
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+                       factory.setXIncludeAware(false);
+               } catch (Throwable throwable) {
+               }
                
                DocumentBuilder builder = factory.newDocumentBuilder();
                document = builder.parse(stream);
diff --git 
a/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java 
b/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
index a8b869f28..5232fa6a2 100644
--- a/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
+++ b/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
@@ -35,8 +35,16 @@ public GPXDocumentReader(InputStream stream, Integer 
version) throws GPXFormatEx
        }
        
        private Document getDocument(InputStream stream) {
+               DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
+               // CVE-2020-14940
                try {
-                       return 
DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream);
+                       
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+                       factory.setXIncludeAware(false);
+               } catch (Throwable throwable) {
+               }
+               
+               try {
+                       return factory.newDocumentBuilder().parse(stream);
                } catch (Throwable throwable) {
                        throw new GPXFormatException("Invalid file format", 
throwable);
                }
@@ -309,25 +317,25 @@ public void readBeats(){
                                                                        
beat.setWhammyBarEnabled( getChildNode(propertyNode, "Enable") != null );
                                                                }
                                                                if( 
propertyName.equals("WhammyBarOriginValue") ){
-                                                                       
beat.setWhammyBarOriginValue( new 
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+                                                                       
beat.setWhammyBarOriginValue( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("WhammyBarMiddleValue") ){
-                                                                       
beat.setWhammyBarMiddleValue( new 
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+                                                                       
beat.setWhammyBarMiddleValue( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("WhammyBarDestinationValue") ){
-                                                                       
beat.setWhammyBarDestinationValue( new 
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+                                                                       
beat.setWhammyBarDestinationValue( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("WhammyBarOriginOffset") ){
-                                                                       
beat.setWhammyBarOriginOffset( new 
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+                                                                       
beat.setWhammyBarOriginOffset( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("WhammyBarMiddleOffset1") ){
-                                                                       
beat.setWhammyBarMiddleOffset1( new 
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+                                                                       
beat.setWhammyBarMiddleOffset1( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("WhammyBarMiddleOffset2") ){
-                                                                       
beat.setWhammyBarMiddleOffset2( new 
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+                                                                       
beat.setWhammyBarMiddleOffset2( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("WhammyBarDestinationOffset") ){
-                                                                       
beat.setWhammyBarDestinationOffset( new 
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+                                                                       
beat.setWhammyBarDestinationOffset( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("Brush") ){
                                                                        
beat.setBrush( getChildNodeContent(propertyNode, "Direction") );
@@ -408,25 +416,25 @@ public void readNotes(){
                                                                        
note.setBendEnabled( getChildNode(propertyNode, "Enable") != null );
                                                                }
                                                                if( 
propertyName.equals("BendOriginValue") ){
-                                                                       
note.setBendOriginValue( new Integer(getChildNodeIntegerContent(propertyNode, 
"Float")) );
+                                                                       
note.setBendOriginValue( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("BendMiddleValue") ){
-                                                                       
note.setBendMiddleValue( new Integer(getChildNodeIntegerContent(propertyNode, 
"Float")) );
+                                                                       
note.setBendMiddleValue( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("BendDestinationValue") ){
-                                                                       
note.setBendDestinationValue( new 
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+                                                                       
note.setBendDestinationValue( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("BendOriginOffset") ){
-                                                                       
note.setBendOriginOffset( new Integer(getChildNodeIntegerContent(propertyNode, 
"Float")) );
+                                                                       
note.setBendOriginOffset( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("BendMiddleOffset1") ){
-                                                                       
note.setBendMiddleOffset1( new Integer(getChildNodeIntegerContent(propertyNode, 
"Float")) );
+                                                                       
note.setBendMiddleOffset1( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("BendMiddleOffset2") ){
-                                                                       
note.setBendMiddleOffset2( new Integer(getChildNodeIntegerContent(propertyNode, 
"Float")) );
+                                                                       
note.setBendMiddleOffset2( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("BendDestinationOffset") ){
-                                                                       
note.setBendDestinationOffset( new 
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+                                                                       
note.setBendDestinationOffset( 
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
                                                                }
                                                                if( 
propertyName.equals("HopoOrigin") ){
                                                                        
note.setHammer(true);
diff --git 
a/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
 
b/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
index 55beeefb0..ed87fd535 100644
--- 
a/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
+++ 
b/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
@@ -52,6 +52,12 @@ public static List<KeyBindingAction> 
getKeyBindings(InputStream is) {
        private static Document getDocument(InputStream is) {
                Document document = null;
                DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
+               // CVE-2020-14940
+               try {
+                       
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+                       factory.setXIncludeAware(false);
+               } catch (Throwable throwable) {
+               }
                try {
                        DocumentBuilder builder = factory.newDocumentBuilder();
                        document = builder.parse(is);
@@ -69,6 +75,12 @@ private static Document getDocument(InputStream is) {
        private static Document getDocument(File file) {
                Document document = null;
                DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
+               // CVE-2020-14940
+               try {
+                       
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+                       factory.setXIncludeAware(false);
+               } catch (Throwable throwable) {
+               }
                try {
                        DocumentBuilder builder = factory.newDocumentBuilder();
                        document = builder.parse(file);
diff --git 
a/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java 
b/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
index 7c4c0e2ab..1303bc16a 100644
--- 
a/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
+++ 
b/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
@@ -59,7 +59,12 @@ private static void loadCollections(TGBrowserManager 
manager,Node node){
        private static Document getDocument(File file) throws 
ParserConfigurationException, SAXException, IOException {
                Document document = null;
                DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
-               
+               // CVE-2020-14940
+               try {
+                       
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+                       factory.setXIncludeAware(false);
+               } catch (Throwable throwable) {
+               }
                DocumentBuilder builder = factory.newDocumentBuilder();
                document = builder.parse(file);
                
diff --git 
a/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java 
b/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
index 44a263fb2..26f0a6d16 100644
--- a/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
+++ b/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
@@ -34,7 +34,12 @@ public void loadScales(List<ScaleInfo> scales,InputStream 
stream){
        private static Document getDocument(InputStream stream) throws 
ParserConfigurationException, SAXException, IOException {
                Document document = null;
                DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
-               
+               // CVE-2020-14940
+               try {
+                       
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+                       factory.setXIncludeAware(false);
+               } catch (Throwable throwable) {
+               }
                DocumentBuilder builder = factory.newDocumentBuilder();
                document = builder.parse(stream);
                
diff --git 
a/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
 
b/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
index abf94e056..c06c04dae 100644
--- 
a/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
+++ 
b/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
@@ -36,6 +36,12 @@ public static List<TGChord> getChords(String fileName) {
        private static Document getDocument(File file) {
                Document document = null;
                DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
+               // CVE-2020-14940
+               try {
+                       
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+                       factory.setXIncludeAware(false);
+               } catch (Throwable throwable) {
+               }
                try {
                        DocumentBuilder builder = factory.newDocumentBuilder();
                        document = builder.parse(file);

Reply via email to