Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tuxguitar for openSUSE:Factory
checked in at 2023-10-12 23:41:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tuxguitar (Old)
and /work/SRC/openSUSE:Factory/.tuxguitar.new.1807 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tuxguitar"
Thu Oct 12 23:41:46 2023 rev:12 rq:1117171 version:1.6.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/tuxguitar/tuxguitar.changes 2023-10-12
11:59:28.998649600 +0200
+++ /work/SRC/openSUSE:Factory/.tuxguitar.new.1807/tuxguitar.changes
2023-10-12 23:43:08.691147007 +0200
@@ -1,0 +2,18 @@
+Thu Oct 12 06:49:30 UTC 2023 - Fridrich Å trba <fst...@suse.com>
+
+- Added patch:
+ * tuxguitar-CVE-2020-13940.patch
+ + fix bsc#1173633 (CVE-2020-14940): improper configuration of
+ XML parsers might lead to XXE while loading GP6 (.gpx) and
+ GP7 (.gp) tablature files
+
+-------------------------------------------------------------------
+Thu Oct 12 05:21:31 UTC 2023 - Fridrich Strba <fst...@suse.com>
+
+- Package also a sample tuxguitar.tg file
+- Modified patch:
+ * 0013-startscript.patch
+ + compose the CLASSPATH jar by jar, since wildcards are not
+ working for CLASSPATH variable
+
+-------------------------------------------------------------------
New:
----
tuxguitar-CVE-2020-13940.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tuxguitar.spec ++++++
--- /var/tmp/diff_new_pack.bnqQmB/_old 2023-10-12 23:43:10.471211442 +0200
+++ /var/tmp/diff_new_pack.bnqQmB/_new 2023-10-12 23:43:10.475211587 +0200
@@ -65,6 +65,7 @@
Patch20: 0012-default-soundfont.patch
Patch21: 0013-startscript.patch
Patch22: 0014-desktop.patch
+Patch30: tuxguitar-CVE-2020-13940.patch
BuildRequires: alsa-devel
BuildRequires: fdupes
BuildRequires: gcc-c++
@@ -133,6 +134,8 @@
%patch21 -p1
%patch22 -p1
+%patch30 -p1
+
%pom_xpath_remove "pom:profile[pom:id[text()='platform-windows-swt-all']]"
%pom_xpath_remove "pom:profile[pom:id[text()='platform-macos-swt-cocoa-64']]"
%pom_xpath_remove "pom:profile[pom:id[text()='platform-freebsd-swt-x86_64']]"
@@ -158,7 +161,7 @@
# Launch script
mkdir -p %{buildroot}/%{_bindir}
-cp -a build-scripts/common-resources/common-linux/tuxguitar.sh
%{buildroot}/%{_bindir}/%{name}
+cat build-scripts/common-resources/common-linux/tuxguitar.sh | sed
's#@LIBDIR@#%{_libdir}#g' > %{buildroot}/%{_bindir}/%{name}
# Fix permissions
chmod 755 %{buildroot}/%{_bindir}/%{name}
@@ -171,6 +174,7 @@
# data files
mkdir -p %{buildroot}/%{_datadir}/%{name}
cp -a TuxGuitar/share/* %{buildroot}/%{_datadir}/%{name}
+cp -a misc/tuxguitar.tg %{buildroot}/%{_datadir}/%{name}
cp -a
build-scripts/%{name}-linux-swt-%{bit}/target/%{name}-%{version}-linux-swt-%{bit}/dist/*
%{buildroot}/%{_datadir}/%{name}
# desktop files
++++++ 0013-startscript.patch ++++++
--- /var/tmp/diff_new_pack.bnqQmB/_old 2023-10-12 23:43:10.527213470 +0200
+++ /var/tmp/diff_new_pack.bnqQmB/_new 2023-10-12 23:43:10.527213470 +0200
@@ -1,17 +1,17 @@
-From b135bbd92d7753b2ac94634c6248efe1cfd376e1 Mon Sep 17 00:00:00 2001
+From 4fb1777834e863a14cfb8ca1ab08c8d4a8a1651c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fridrich=20=C5=A0trba?= <fridrich.st...@bluewin.ch>
Date: Tue, 10 Oct 2023 13:06:25 +0200
Subject: [PATCH 13/14] startscript
---
- .../common-linux/tuxguitar.sh | 61 ++++++++++++++++---
- 1 file changed, 54 insertions(+), 7 deletions(-)
+ .../common-linux/tuxguitar.sh | 148 +++++++++++++++++-
+ 1 file changed, 141 insertions(+), 7 deletions(-)
diff --git a/build-scripts/common-resources/common-linux/tuxguitar.sh
b/build-scripts/common-resources/common-linux/tuxguitar.sh
-index a213786a..348848bb 100755
+index a213786a..62a895d1 100755
--- a/build-scripts/common-resources/common-linux/tuxguitar.sh
+++ b/build-scripts/common-resources/common-linux/tuxguitar.sh
-@@ -1,20 +1,67 @@
+@@ -1,20 +1,154 @@
#!/bin/sh
-##SCRIPT DIR
-TG_DIR=`dirname $(realpath "$0")`
@@ -61,12 +61,99 @@
JAVA=`which java`
##LIBRARY_PATH
-LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:${TG_DIR}/lib/
-+LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/lib64/tuxguitar
++LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:@LIBDIR@/tuxguitar
##CLASSPATH
-CLASSPATH=${CLASSPATH}:${TG_DIR}/lib/*
-CLASSPATH=${CLASSPATH}:${TG_DIR}/share/
-CLASSPATH=${CLASSPATH}:${TG_DIR}/dist/
-+CLASSPATH=/usr/share/java/tuxguitar/tuxguitar.jar:/usr/share/java/tuxguitar/*:
++PACKAGE=${PACKAGE:=tuxguitar}
++PACKAGE_HOME=${PACKAGE_HOME:=/usr/share/java/${PACKAGE}/}
++t="${PACKAGE_HOME}/${PACKAGE}.jar"
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-alsa.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-ascii.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-awt-graphics.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-browser-ftp.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-community.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-compat.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-converter.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-debug-helper.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-editor-utils.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-fluidsynth.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gervill.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gm-settings.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gm-utils.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gpx.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gtp.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-gtp-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-image.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-jack.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-jack-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-jsa.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-lib.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-lilypond.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-lilypond-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-midi.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-midi-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-musicxml.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-pdf.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-pdf-ui.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-ptb.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-svg.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth-export.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth-gervill.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth-lv2.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-synth-vst.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-tef.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-tray.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-tuner.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-ui-toolkit.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-ui-toolkit-swt.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/${PACKAGE}-viewer.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
++t=${PACKAGE_HOME}/gervill.jar
++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
+t=$(itext_pdf_guess_)
+[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t
+t=$(itext_xmlworker_guess_)
++++++ tuxguitar-CVE-2020-13940.patch ++++++
>From bcaa280e93b0d67dc6f903b6e23a051a7894ba0c Mon Sep 17 00:00:00 2001
From: guiv42 <129443524+gui...@users.noreply.github.com>
Date: Tue, 10 Oct 2023 23:02:29 +0200
Subject: [PATCH] fix CVE-2020-14940
see:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14940
https://sourceforge.net/p/tuxguitar/bugs/126/
https://bugzilla.opensuse.org/show_bug.cgi?id=1173633
https://logicaltrust.net/blog/2020/06/tuxguitar.html
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Issue could be reproduced on Linux before the fix, as described by
sourceforge page listed above
note: needed to de-activate firewall to reproduce issue
Not all TuxGuitar files mentioned in this page have been modified, as some
of them do not parse input xml files. Then they should not be concerned by
vulnerability:
- TuxGuitar-musicxml/src/org/herac/tuxguitar/io/musicxml/MusicXMLWriter.java
-
TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingWriter.java
- TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserWriter.java
note: protection does not seem to be supported on Android, so just try to
activate it, and ignore if it fails (or else Android version can no more
open .gp and .gpx files)
basically: this patch doesn't provide full coverage
also (independent from CVE):
GPXDocumentReader: removed warnings from deprecated Integer constructors
---
.../community/browser/TGBrowserResponse.java | 6 +++
.../community/io/TGShareSongResponse.java | 6 +++
.../editor/template/TGTemplateReader.java | 6 +++
.../tuxguitar/io/gpx/GPXDocumentReader.java | 38 +++++++++++--------
.../keybindings/xml/KeyBindingReader.java | 12 ++++++
.../tools/browser/xml/TGBrowserReader.java | 7 +++-
.../app/tools/scale/xml/ScaleReader.java | 7 +++-
.../dialog/chord/xml/TGChordXMLReader.java | 6 +++
8 files changed, 71 insertions(+), 17 deletions(-)
diff --git
a/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
b/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
index f82415584..d515446eb 100644
---
a/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
+++
b/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
@@ -35,6 +35,12 @@ public TGBrowserResponse( InputStream stream ) throws
Throwable {
private void initialize(InputStream stream) throws Throwable {
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
+ // CVE-2020-14940
+ try {
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+ factory.setXIncludeAware(false);
+ } catch (Throwable throwable) {
+ }
DocumentBuilder builder = factory.newDocumentBuilder();
this.document = builder.parse(stream);
}
diff --git
a/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
b/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
index 67dbabb03..39c33bcaf 100644
---
a/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
+++
b/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
@@ -28,6 +28,12 @@ public TGShareSongResponse( InputStream stream ) throws
Throwable {
private void initialize(InputStream stream) throws Throwable {
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
+ // CVE-2020-14940
+ try {
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+ factory.setXIncludeAware(false);
+ } catch (Throwable throwable) {
+ }
DocumentBuilder builder = factory.newDocumentBuilder();
this.document = builder.parse(stream);
}
diff --git
a/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
b/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
index 439eef348..24688b16d 100644
---
a/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
+++
b/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
@@ -51,6 +51,12 @@ private void loadTemplates(List<TGTemplate> templates,Node
node) throws Throwabl
private Document createDocument(InputStream stream) throws Throwable {
Document document = null;
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
+ // CVE-2020-14940
+ try {
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+ factory.setXIncludeAware(false);
+ } catch (Throwable throwable) {
+ }
DocumentBuilder builder = factory.newDocumentBuilder();
document = builder.parse(stream);
diff --git
a/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
b/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
index a8b869f28..5232fa6a2 100644
--- a/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
+++ b/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
@@ -35,8 +35,16 @@ public GPXDocumentReader(InputStream stream, Integer
version) throws GPXFormatEx
}
private Document getDocument(InputStream stream) {
+ DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
+ // CVE-2020-14940
try {
- return
DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream);
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+ factory.setXIncludeAware(false);
+ } catch (Throwable throwable) {
+ }
+
+ try {
+ return factory.newDocumentBuilder().parse(stream);
} catch (Throwable throwable) {
throw new GPXFormatException("Invalid file format",
throwable);
}
@@ -309,25 +317,25 @@ public void readBeats(){
beat.setWhammyBarEnabled( getChildNode(propertyNode, "Enable") != null );
}
if(
propertyName.equals("WhammyBarOriginValue") ){
-
beat.setWhammyBarOriginValue( new
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+
beat.setWhammyBarOriginValue(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("WhammyBarMiddleValue") ){
-
beat.setWhammyBarMiddleValue( new
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+
beat.setWhammyBarMiddleValue(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("WhammyBarDestinationValue") ){
-
beat.setWhammyBarDestinationValue( new
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+
beat.setWhammyBarDestinationValue(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("WhammyBarOriginOffset") ){
-
beat.setWhammyBarOriginOffset( new
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+
beat.setWhammyBarOriginOffset(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("WhammyBarMiddleOffset1") ){
-
beat.setWhammyBarMiddleOffset1( new
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+
beat.setWhammyBarMiddleOffset1(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("WhammyBarMiddleOffset2") ){
-
beat.setWhammyBarMiddleOffset2( new
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+
beat.setWhammyBarMiddleOffset2(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("WhammyBarDestinationOffset") ){
-
beat.setWhammyBarDestinationOffset( new
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+
beat.setWhammyBarDestinationOffset(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("Brush") ){
beat.setBrush( getChildNodeContent(propertyNode, "Direction") );
@@ -408,25 +416,25 @@ public void readNotes(){
note.setBendEnabled( getChildNode(propertyNode, "Enable") != null );
}
if(
propertyName.equals("BendOriginValue") ){
-
note.setBendOriginValue( new Integer(getChildNodeIntegerContent(propertyNode,
"Float")) );
+
note.setBendOriginValue(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("BendMiddleValue") ){
-
note.setBendMiddleValue( new Integer(getChildNodeIntegerContent(propertyNode,
"Float")) );
+
note.setBendMiddleValue(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("BendDestinationValue") ){
-
note.setBendDestinationValue( new
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+
note.setBendDestinationValue(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("BendOriginOffset") ){
-
note.setBendOriginOffset( new Integer(getChildNodeIntegerContent(propertyNode,
"Float")) );
+
note.setBendOriginOffset(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("BendMiddleOffset1") ){
-
note.setBendMiddleOffset1( new Integer(getChildNodeIntegerContent(propertyNode,
"Float")) );
+
note.setBendMiddleOffset1(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("BendMiddleOffset2") ){
-
note.setBendMiddleOffset2( new Integer(getChildNodeIntegerContent(propertyNode,
"Float")) );
+
note.setBendMiddleOffset2(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("BendDestinationOffset") ){
-
note.setBendDestinationOffset( new
Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
+
note.setBendDestinationOffset(
Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
}
if(
propertyName.equals("HopoOrigin") ){
note.setHammer(true);
diff --git
a/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
b/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
index 55beeefb0..ed87fd535 100644
---
a/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
+++
b/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
@@ -52,6 +52,12 @@ public static List<KeyBindingAction>
getKeyBindings(InputStream is) {
private static Document getDocument(InputStream is) {
Document document = null;
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
+ // CVE-2020-14940
+ try {
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+ factory.setXIncludeAware(false);
+ } catch (Throwable throwable) {
+ }
try {
DocumentBuilder builder = factory.newDocumentBuilder();
document = builder.parse(is);
@@ -69,6 +75,12 @@ private static Document getDocument(InputStream is) {
private static Document getDocument(File file) {
Document document = null;
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
+ // CVE-2020-14940
+ try {
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+ factory.setXIncludeAware(false);
+ } catch (Throwable throwable) {
+ }
try {
DocumentBuilder builder = factory.newDocumentBuilder();
document = builder.parse(file);
diff --git
a/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
b/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
index 7c4c0e2ab..1303bc16a 100644
---
a/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
+++
b/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
@@ -59,7 +59,12 @@ private static void loadCollections(TGBrowserManager
manager,Node node){
private static Document getDocument(File file) throws
ParserConfigurationException, SAXException, IOException {
Document document = null;
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
-
+ // CVE-2020-14940
+ try {
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+ factory.setXIncludeAware(false);
+ } catch (Throwable throwable) {
+ }
DocumentBuilder builder = factory.newDocumentBuilder();
document = builder.parse(file);
diff --git
a/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
b/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
index 44a263fb2..26f0a6d16 100644
--- a/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
+++ b/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
@@ -34,7 +34,12 @@ public void loadScales(List<ScaleInfo> scales,InputStream
stream){
private static Document getDocument(InputStream stream) throws
ParserConfigurationException, SAXException, IOException {
Document document = null;
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
-
+ // CVE-2020-14940
+ try {
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+ factory.setXIncludeAware(false);
+ } catch (Throwable throwable) {
+ }
DocumentBuilder builder = factory.newDocumentBuilder();
document = builder.parse(stream);
diff --git
a/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
b/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
index abf94e056..c06c04dae 100644
---
a/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
+++
b/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
@@ -36,6 +36,12 @@ public static List<TGChord> getChords(String fileName) {
private static Document getDocument(File file) {
Document document = null;
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
+ // CVE-2020-14940
+ try {
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+ factory.setXIncludeAware(false);
+ } catch (Throwable throwable) {
+ }
try {
DocumentBuilder builder = factory.newDocumentBuilder();
document = builder.parse(file);
