diff --git a/SOURCES/expat-2.2.5-CVE-2018-20843.patch b/SOURCES/expat-2.2.5-CVE-2018-20843.patch
new file mode 100644
index 0000000..8afbfd0
--- /dev/null
+++ b/SOURCES/expat-2.2.5-CVE-2018-20843.patch
@@ -0,0 +1,15 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20843
+https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+
+--- libexpat-R_2_2_5/expat/lib/xmlparse.c.cve20843
++++ libexpat-R_2_2_5/expat/lib/xmlparse.c
+@@ -6057,7 +6057,7 @@ setElementTypePrefix(XML_Parser parser,
+ else
+ poolDiscard(&dtd->pool);
+ elementType->prefix = prefix;
+-
++ break;
+ }
+ }
+ return 1;
diff --git a/SOURCES/expat-2.2.5-CVE-2019-15903.patch b/SOURCES/expat-2.2.5-CVE-2019-15903.patch
new file mode 100644
index 0000000..72c0164
--- /dev/null
+++ b/SOURCES/expat-2.2.5-CVE-2019-15903.patch
@@ -0,0 +1,171 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1752592
+
+https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65
+
+--- libexpat-R_2_2_5/expat/lib/xmlparse.c.cve15903
++++ libexpat-R_2_2_5/expat/lib/xmlparse.c
+@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser);
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+ const char *end, int tok, const char *next, const char **nextPtr,
+- XML_Bool haveMore);
++ XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+ XML_Bool betweenDecl);
+@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse
+
+ parser->m_processor = prologProcessor;
+ return doProlog(parser, parser->m_encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error PTRCALL
+@@ -4268,19 +4268,13 @@ prologProcessor(XML_Parser parser,
+ const char *next = s;
+ int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error
+-doProlog(XML_Parser parser,
+- const ENCODING *enc,
+- const char *s,
+- const char *end,
+- int tok,
+- const char *next,
+- const char **nextPtr,
+- XML_Bool haveMore)
+-{
++doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
++ int tok, const char *next, const char **nextPtr, XML_Bool haveMore,
++ XML_Bool allowClosingDoctype) {
+ #ifdef XML_DTD
+ static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+ #endif /* XML_DTD */
+@@ -4458,6 +4452,11 @@ doProlog(XML_Parser parser,
+ }
+ break;
+ case XML_ROLE_DOCTYPE_CLOSE:
++ if (allowClosingDoctype != XML_TRUE) {
++ /* Must not close doctype from within expanded parameter entities */
++ return XML_ERROR_INVALID_TOKEN;
++ }
++
+ if (parser->m_doctypeName) {
+ parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
+ parser->m_doctypeSysid, parser->m_doctypePubid, 0);
+@@ -5395,7 +5394,7 @@ processInternalEntity(XML_Parser parser,
+ if (entity->is_param) {
+ int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_FALSE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -5442,7 +5441,7 @@ internalEntityProcessor(XML_Parser parse
+ if (entity->is_param) {
+ int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_TRUE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -5469,7 +5468,7 @@ internalEntityProcessor(XML_Parser parse
+ parser->m_processor = prologProcessor;
+ tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+- (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ else
+ #endif /* XML_DTD */
+--- libexpat-R_2_2_5/expat/tests/runtests.c.cve15903
++++ libexpat-R_2_2_5/expat/tests/runtests.c
+@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co
+ CharData_AppendXMLChars(storage, XCS("\n"), 1);
+ }
+
++#ifdef XML_DTD
++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
++ const char *const inputOne = "<!DOCTYPE d [\n"
++ "<!ENTITY % e ']><d/>'>\n"
++ "\n"
++ "%e;";
++ const char *const inputTwo = "<!DOCTYPE d [\n"
++ "<!ENTITY % e1 ']><d/>'><!ENTITY % e2 '&e1;'>\n"
++ "\n"
++ "%e2;";
++ const char *const inputThree = "<!DOCTYPE d [\n"
++ "<!ENTITY % e ']><d'>\n"
++ "\n"
++ "%e;";
++ const char *const inputIssue317 = "<!DOCTYPE doc [\n"
++ "<!ENTITY % foo ']>\n"
++ "<doc>Hell<oc (#PCDATA)*>'>\n"
++ "%foo;\n"
++ "]>\n"
++ "<doc>Hello, world</dVc>";
++
++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
++ size_t inputIndex = 0;
++
++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
++ XML_Parser parser;
++ enum XML_Status parseResult;
++ int setParamEntityResult;
++ XML_Size lineNumber;
++ XML_Size columnNumber;
++ const char *const input = inputs[inputIndex];
++
++ parser = XML_ParserCreate(NULL);
++ setParamEntityResult
++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++ if (setParamEntityResult != 1)
++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
++
++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
++ if (parseResult != XML_STATUS_ERROR) {
++ parseResult = XML_Parse(parser, "", 0, 1);
++ if (parseResult != XML_STATUS_ERROR) {
++ fail("Parsing was expected to fail but succeeded.");
++ }
++ }
++
++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
++ fail("Error code does not match XML_ERROR_INVALID_TOKEN");
++
++ lineNumber = XML_GetCurrentLineNumber(parser);
++ if (lineNumber != 4)
++ fail("XML_GetCurrentLineNumber does not work as expected.");
++
++ columnNumber = XML_GetCurrentColumnNumber(parser);
++ if (columnNumber != 0)
++ fail("XML_GetCurrentColumnNumber does not work as expected.");
++
++ XML_ParserFree(parser);
++ }
++}
++END_TEST
++#endif
++
+ static void
+ run_ns_tagname_overwrite_test(const char *text, const XML_Char *result)
+ {
+@@ -12210,6 +12273,10 @@ make_suite(void)
+ tcase_add_test(tc_misc, test_misc_features);
+ tcase_add_test(tc_misc, test_misc_attribute_leak);
+ tcase_add_test(tc_misc, test_misc_utf16le);
++#ifdef XML_DTD
++ tcase_add_test(tc_misc,
++ test_misc_deny_internal_entity_closing_doctype_issue_317);
++#endif
+
+ suite_add_tcase(s, tc_alloc);
+ tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
diff --git a/SPECS/expat.spec b/SPECS/expat.spec
index 233ae52..25338ac 100644
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@@ -3,12 +3,14 @@
Summary: An XML parser library
Name: expat
Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 3%{?dist}
+Release: 4%{?dist}
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
URL: https://libexpat.github.io/
License: MIT
BuildRequires: autoconf, libtool, xmlto, gcc-c++
Patch0: expat-2.2.5-doc2man.patch
+Patch1: expat-2.2.5-CVE-2018-20843.patch
+Patch2: expat-2.2.5-CVE-2019-15903.patch
%description
This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -37,6 +39,9 @@ Install it if you need to link statically with expat.
%prep
%setup -q -n libexpat-R_%{unversion}/expat
%patch0 -p2 -b .doc2man
+%patch1 -p2 -b .cve20843
+%patch2 -p2 -b .cve15903
+
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
./buildconf.sh
@@ -74,6 +79,9 @@ make check
%{_libdir}/lib*.a
%changelog
+* Fri Apr 24 2020 Joe Orton <jorton@redhat.com> - 2.2.5-4
+- add security fixes for CVE-2018-20843, CVE-2019-15903
+
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild