diff --git a/SOURCES/expat-2.1.0-CVE-2018-20843.patch b/SOURCES/expat-2.1.0-CVE-2018-20843.patch
new file mode 100644
index 0000000..677e021
--- /dev/null
+++ b/SOURCES/expat-2.1.0-CVE-2018-20843.patch
@@ -0,0 +1,14 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20843
+
+--- expat-2.1.0/lib/xmlparse.c.cve20843
++++ expat-2.1.0/lib/xmlparse.c
+@@ -5433,7 +5433,7 @@
+ else
+ poolDiscard(&dtd->pool);
+ elementType->prefix = prefix;
+-
++ break;
+ }
+ }
+ return 1;
diff --git a/SOURCES/expat-2.1.0-CVE-2019-15903.patch b/SOURCES/expat-2.1.0-CVE-2019-15903.patch
new file mode 100644
index 0000000..7a3be0f
--- /dev/null
+++ b/SOURCES/expat-2.1.0-CVE-2019-15903.patch
@@ -0,0 +1,167 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-15903
+
+https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65
+
+--- expat-2.1.0/lib/xmlparse.c.cve15903
++++ expat-2.1.0/lib/xmlparse.c
+@@ -331,7 +331,7 @@
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+ const char *end, int tok, const char *next, const char **nextPtr,
+- XML_Bool haveMore);
++ XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+ XML_Bool betweenDecl);
+@@ -3699,7 +3699,7 @@
+
+ processor = prologProcessor;
+ return doProlog(parser, encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!ps_finalBuffer);
++ nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error PTRCALL
+@@ -3749,7 +3749,7 @@
+ const char *next = s;
+ int tok = XmlPrologTok(encoding, s, end, &next);
+ return doProlog(parser, encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!ps_finalBuffer);
++ nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error
+@@ -3760,7 +3760,8 @@
+ int tok,
+ const char *next,
+ const char **nextPtr,
+- XML_Bool haveMore)
++ XML_Bool haveMore,
++ XML_Bool allowClosingDoctype)
+ {
+ #ifdef XML_DTD
+ static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+@@ -3936,6 +3937,11 @@
+ }
+ break;
+ case XML_ROLE_DOCTYPE_CLOSE:
++ if (allowClosingDoctype != XML_TRUE) {
++ /* Must not close doctype from within expanded parameter entities */
++ return XML_ERROR_INVALID_TOKEN;
++ }
++
+ if (doctypeName) {
+ startDoctypeDeclHandler(handlerArg, doctypeName,
+ doctypeSysid, doctypePubid, 0);
+@@ -4837,7 +4843,7 @@
+ if (entity->is_param) {
+ int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_FALSE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -4882,7 +4888,7 @@
+ if (entity->is_param) {
+ int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_TRUE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -4909,7 +4915,7 @@
+ processor = prologProcessor;
+ tok = XmlPrologTok(encoding, s, end, &next);
+ return doProlog(parser, encoding, s, end, tok, next, nextPtr,
+- (XML_Bool)!ps_finalBuffer);
++ (XML_Bool)!ps_finalBuffer, XML_TRUE);
+ }
+ else
+ #endif /* XML_DTD */
+--- expat-2.1.0/tests/runtests.c.cve15903
++++ expat-2.1.0/tests/runtests.c
+@@ -1157,6 +1157,69 @@
+ CharData_AppendString(storage, "\n");
+ }
+
++#ifdef XML_DTD
++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
++ const char *const inputOne = "<!DOCTYPE d [\n"
++ "<!ENTITY % e ']><d/>'>\n"
++ "\n"
++ "%e;";
++ const char *const inputTwo = "<!DOCTYPE d [\n"
++ "<!ENTITY % e1 ']><d/>'><!ENTITY % e2 '&e1;'>\n"
++ "\n"
++ "%e2;";
++ const char *const inputThree = "<!DOCTYPE d [\n"
++ "<!ENTITY % e ']><d'>\n"
++ "\n"
++ "%e;";
++ const char *const inputIssue317 = "<!DOCTYPE doc [\n"
++ "<!ENTITY % foo ']>\n"
++ "<doc>Hell<oc (#PCDATA)*>'>\n"
++ "%foo;\n"
++ "]>\n"
++ "<doc>Hello, world</dVc>";
++
++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
++ size_t inputIndex = 0;
++
++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
++ XML_Parser parser;
++ enum XML_Status parseResult;
++ int setParamEntityResult;
++ XML_Size lineNumber;
++ XML_Size columnNumber;
++ const char *const input = inputs[inputIndex];
++
++ parser = XML_ParserCreate(NULL);
++ setParamEntityResult
++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++ if (setParamEntityResult != 1)
++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
++
++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
++ if (parseResult != XML_STATUS_ERROR) {
++ parseResult = XML_Parse(parser, "", 0, 1);
++ if (parseResult != XML_STATUS_ERROR) {
++ fail("Parsing was expected to fail but succeeded.");
++ }
++ }
++
++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
++ fail("Error code does not match XML_ERROR_INVALID_TOKEN");
++
++ lineNumber = XML_GetCurrentLineNumber(parser);
++ if (lineNumber != 4)
++ fail("XML_GetCurrentLineNumber does not work as expected.");
++
++ columnNumber = XML_GetCurrentColumnNumber(parser);
++ if (columnNumber != 0)
++ fail("XML_GetCurrentColumnNumber does not work as expected.");
++
++ XML_ParserFree(parser);
++ }
++}
++END_TEST
++#endif
++
+ static void
+ run_ns_tagname_overwrite_test(char *text, char *result)
+ {
+@@ -1479,6 +1542,11 @@
+ tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_attribute);
+ tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_element);
+
++#ifdef XML_DTD
++ tcase_add_test(tc_basic,
++ test_misc_deny_internal_entity_closing_doctype_issue_317);
++#endif
++
+ return s;
+ }
+
diff --git a/SPECS/expat.spec b/SPECS/expat.spec
index 07da724..fa09adc 100644
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@@ -1,12 +1,14 @@
Summary: An XML parser library
Name: expat
Version: 2.1.0
-Release: 11%{?dist}
+Release: 12%{?dist}
Group: System Environment/Libraries
Source: http://downloads.sourceforge.net/expat/expat-%{version}.tar.gz
Patch0: expat-2.1.0-xmlwfargs.patch
Patch1: expat-2.1.0-CVE-2016-0718.patch
Patch2: expat-2.1.0-CVE-2015-2716.patch
+Patch3: expat-2.1.0-CVE-2018-20843.patch
+Patch4: expat-2.1.0-CVE-2019-15903.patch
URL: http://www.libexpat.org/
License: MIT
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -43,6 +45,8 @@ Install it if you need to link statically with expat.
%patch0 -p1 -b .xmlwfargs
%patch1 -p1 -b .cve0718
%patch2 -p1 -b .cve2716
+%patch3 -p1 -b .cve20843
+%patch4 -p1 -b .cve15903
%build
rm -rf autom4te*.cache
@@ -89,6 +93,9 @@ rm -rf ${RPM_BUILD_ROOT}
%{_libdir}/lib*.a
%changelog
+* Thu Apr 2 2020 Joe Orton <jorton@redhat.com> - 2.1.0-12
+- add security fixes for CVE-2018-20843, CVE-2019-15903
+
* Thu Jul 25 2019 Joe Orton <jorton@redhat.com> - 2.1.0-11
- add security fix for CVE-2015-2716