diff --git a/.expat.metadata b/.expat.metadata
new file mode 100644
index 0000000..e69ad7b
--- /dev/null
+++ b/.expat.metadata
@@ -0,0 +1 @@
+fa46ccce6770ccae767c28f6ac55e2428089d4a0 SOURCES/expat-2.2.5.tar.gz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2d47f87
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/expat-2.2.5.tar.gz
diff --git a/SOURCES/expat-2.2.5-CVE-2018-20843.patch b/SOURCES/expat-2.2.5-CVE-2018-20843.patch
new file mode 100644
index 0000000..8afbfd0
--- /dev/null
+++ b/SOURCES/expat-2.2.5-CVE-2018-20843.patch
@@ -0,0 +1,15 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20843
+https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+
+--- libexpat-R_2_2_5/expat/lib/xmlparse.c.cve20843
++++ libexpat-R_2_2_5/expat/lib/xmlparse.c
+@@ -6057,7 +6057,7 @@ setElementTypePrefix(XML_Parser parser,
+ else
+ poolDiscard(&dtd->pool);
+ elementType->prefix = prefix;
+-
++ break;
+ }
+ }
+ return 1;
diff --git a/SOURCES/expat-2.2.5-CVE-2019-15903.patch b/SOURCES/expat-2.2.5-CVE-2019-15903.patch
new file mode 100644
index 0000000..72c0164
--- /dev/null
+++ b/SOURCES/expat-2.2.5-CVE-2019-15903.patch
@@ -0,0 +1,171 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1752592
+
+https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65
+
+--- libexpat-R_2_2_5/expat/lib/xmlparse.c.cve15903
++++ libexpat-R_2_2_5/expat/lib/xmlparse.c
+@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser);
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+ const char *end, int tok, const char *next, const char **nextPtr,
+- XML_Bool haveMore);
++ XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+ XML_Bool betweenDecl);
+@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse
+
+ parser->m_processor = prologProcessor;
+ return doProlog(parser, parser->m_encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error PTRCALL
+@@ -4268,19 +4268,13 @@ prologProcessor(XML_Parser parser,
+ const char *next = s;
+ int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next,
+- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+
+ static enum XML_Error
+-doProlog(XML_Parser parser,
+- const ENCODING *enc,
+- const char *s,
+- const char *end,
+- int tok,
+- const char *next,
+- const char **nextPtr,
+- XML_Bool haveMore)
+-{
++doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
++ int tok, const char *next, const char **nextPtr, XML_Bool haveMore,
++ XML_Bool allowClosingDoctype) {
+ #ifdef XML_DTD
+ static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+ #endif /* XML_DTD */
+@@ -4458,6 +4452,11 @@ doProlog(XML_Parser parser,
+ }
+ break;
+ case XML_ROLE_DOCTYPE_CLOSE:
++ if (allowClosingDoctype != XML_TRUE) {
++ /* Must not close doctype from within expanded parameter entities */
++ return XML_ERROR_INVALID_TOKEN;
++ }
++
+ if (parser->m_doctypeName) {
+ parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
+ parser->m_doctypeSysid, parser->m_doctypePubid, 0);
+@@ -5395,7 +5394,7 @@ processInternalEntity(XML_Parser parser,
+ if (entity->is_param) {
+ int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_FALSE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -5442,7 +5441,7 @@ internalEntityProcessor(XML_Parser parse
+ if (entity->is_param) {
+ int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+- next, &next, XML_FALSE);
++ next, &next, XML_FALSE, XML_TRUE);
+ }
+ else
+ #endif /* XML_DTD */
+@@ -5469,7 +5468,7 @@ internalEntityProcessor(XML_Parser parse
+ parser->m_processor = prologProcessor;
+ tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+- (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ else
+ #endif /* XML_DTD */
+--- libexpat-R_2_2_5/expat/tests/runtests.c.cve15903
++++ libexpat-R_2_2_5/expat/tests/runtests.c
+@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co
+ CharData_AppendXMLChars(storage, XCS("\n"), 1);
+ }
+
++#ifdef XML_DTD
++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
++ const char *const inputOne = "'>\n"
++ "\n"
++ "%e;";
++ const char *const inputTwo = "'>\n"
++ "\n"
++ "%e2;";
++ const char *const inputThree = "\n"
++ "\n"
++ "%e;";
++ const char *const inputIssue317 = "\n"
++ "Hell'>\n"
++ "%foo;\n"
++ "]>\n"
++ "Hello, world";
++
++ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
++ size_t inputIndex = 0;
++
++ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
++ XML_Parser parser;
++ enum XML_Status parseResult;
++ int setParamEntityResult;
++ XML_Size lineNumber;
++ XML_Size columnNumber;
++ const char *const input = inputs[inputIndex];
++
++ parser = XML_ParserCreate(NULL);
++ setParamEntityResult
++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++ if (setParamEntityResult != 1)
++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
++
++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
++ if (parseResult != XML_STATUS_ERROR) {
++ parseResult = XML_Parse(parser, "", 0, 1);
++ if (parseResult != XML_STATUS_ERROR) {
++ fail("Parsing was expected to fail but succeeded.");
++ }
++ }
++
++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
++ fail("Error code does not match XML_ERROR_INVALID_TOKEN");
++
++ lineNumber = XML_GetCurrentLineNumber(parser);
++ if (lineNumber != 4)
++ fail("XML_GetCurrentLineNumber does not work as expected.");
++
++ columnNumber = XML_GetCurrentColumnNumber(parser);
++ if (columnNumber != 0)
++ fail("XML_GetCurrentColumnNumber does not work as expected.");
++
++ XML_ParserFree(parser);
++ }
++}
++END_TEST
++#endif
++
+ static void
+ run_ns_tagname_overwrite_test(const char *text, const XML_Char *result)
+ {
+@@ -12210,6 +12273,10 @@ make_suite(void)
+ tcase_add_test(tc_misc, test_misc_features);
+ tcase_add_test(tc_misc, test_misc_attribute_leak);
+ tcase_add_test(tc_misc, test_misc_utf16le);
++#ifdef XML_DTD
++ tcase_add_test(tc_misc,
++ test_misc_deny_internal_entity_closing_doctype_issue_317);
++#endif
+
+ suite_add_tcase(s, tc_alloc);
+ tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
diff --git a/SOURCES/expat-2.2.5-doc2man.patch b/SOURCES/expat-2.2.5-doc2man.patch
new file mode 100644
index 0000000..59c7136
--- /dev/null
+++ b/SOURCES/expat-2.2.5-doc2man.patch
@@ -0,0 +1,26 @@
+diff -uap libexpat-R_2_2_5/expat/configure.ac.doc2man libexpat-R_2_2_5/expat/configure.ac
+--- libexpat-R_2_2_5/expat/configure.ac.doc2man
++++ libexpat-R_2_2_5/expat/configure.ac
+@@ -241,7 +241,7 @@ AS_IF([test "x$with_docbook" != xno],
+ [if test "x$with_docbook" != xcheck; then
+ AC_MSG_ERROR([Required program 'docbook2x-man' not found.])])])
+
+-AM_CONDITIONAL(WITH_DOCBOOK, [test x${DOCBOOK_TO_MAN} != x])
++AM_CONDITIONAL(WITH_DOCBOOK, [test "x${DOCBOOK_TO_MAN}" != x])
+
+ AC_CONFIG_FILES([Makefile expat.pc])
+ AC_CONFIG_FILES([
+diff -uap libexpat-R_2_2_5/expat/doc/Makefile.am.doc2man libexpat-R_2_2_5/expat/doc/Makefile.am
+--- libexpat-R_2_2_5/expat/doc/Makefile.am.doc2man
++++ libexpat-R_2_2_5/expat/doc/Makefile.am
+@@ -32,8 +32,9 @@ dist_man_MANS = xmlwf.1
+
+ xmlwf.1: xmlwf.xml
+ if WITH_DOCBOOK
++ -rm -f $@
+ $(DOCBOOK_TO_MAN) $<
+- mv XMLWF.1 $@
++ test -f $@ || mv XMLWF.1 $@
+ else
+ @echo 'ERROR: Configure with --with-docbook for "make dist".' 1>&2
+ @false
diff --git a/SPECS/expat.spec b/SPECS/expat.spec
new file mode 100644
index 0000000..25338ac
--- /dev/null
+++ b/SPECS/expat.spec
@@ -0,0 +1,306 @@
+%global unversion 2_2_5
+
+Summary: An XML parser library
+Name: expat
+Version: %(echo %{unversion} | sed 's/_/./g')
+Release: 4%{?dist}
+Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
+URL: https://libexpat.github.io/
+License: MIT
+BuildRequires: autoconf, libtool, xmlto, gcc-c++
+Patch0: expat-2.2.5-doc2man.patch
+Patch1: expat-2.2.5-CVE-2018-20843.patch
+Patch2: expat-2.2.5-CVE-2019-15903.patch
+
+%description
+This is expat, the C library for parsing XML, written by James Clark. Expat
+is a stream oriented XML parser. This means that you register handlers with
+the parser prior to starting the parse. These handlers are called when the
+parser discovers the associated structures in the document being parsed. A
+start tag is an example of the kind of structures for which you may
+register handlers.
+
+%package devel
+Summary: Libraries and header files to develop applications using expat
+Requires: expat%{?_isa} = %{version}-%{release}
+
+%description devel
+The expat-devel package contains the libraries, include files and documentation
+to develop XML applications with expat.
+
+%package static
+Summary: expat XML parser static library
+Requires: expat-devel%{?_isa} = %{version}-%{release}
+
+%description static
+The expat-static package contains the static version of the expat library.
+Install it if you need to link statically with expat.
+
+%prep
+%setup -q -n libexpat-R_%{unversion}/expat
+%patch0 -p2 -b .doc2man
+%patch1 -p2 -b .cve20843
+%patch2 -p2 -b .cve15903
+
+sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
+./buildconf.sh
+
+%build
+export CFLAGS="$RPM_OPT_FLAGS -fPIC"
+export DOCBOOK_TO_MAN="xmlto man --skip-validation"
+%configure
+make %{?_smp_mflags}
+
+%install
+make install DESTDIR=$RPM_BUILD_ROOT
+
+rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
+
+%check
+make check
+
+%ldconfig_scriptlets
+
+%files
+%{!?_licensedir:%global license %%doc}
+%doc AUTHORS Changes
+%license COPYING
+%{_bindir}/*
+%{_libdir}/lib*.so.*
+%{_mandir}/*/*
+
+%files devel
+%doc doc/reference.html doc/*.png doc/*.css examples/*.c
+%{_libdir}/lib*.so
+%{_libdir}/pkgconfig/*.pc
+%{_includedir}/*.h
+
+%files static
+%{_libdir}/lib*.a
+
+%changelog
+* Fri Apr 24 2020 Joe Orton - 2.2.5-4
+- add security fixes for CVE-2018-20843, CVE-2019-15903
+
+* Wed Feb 07 2018 Fedora Release Engineering - 2.2.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Feb 03 2018 Igor Gnatenko - 2.2.5-2
+- Switch to %%ldconfig_scriptlets
+
+* Thu Nov 2 2017 Joe Orton - 2.2.5-1
+- update to 2.2.5 (#1508667)
+
+* Mon Aug 21 2017 Joe Orton - 2.2.4-1
+- update to 2.2.4 (#1483359)
+
+* Fri Aug 4 2017 Joe Orton - 2.2.3-1
+- fix tests with unsigned char (upstream PR 109)
+- update to 2.2.3 (#1473266)
+
+* Wed Aug 02 2017 Fedora Release Engineering - 2.2.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering - 2.2.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jul 14 2017 Joe Orton - 2.2.2-2
+- update to 2.2.2 (#1470891)
+
+* Fri Jul 7 2017 Joe Orton - 2.2.1-2
+- trim unnecessary doc, examples content
+
+* Mon Jun 19 2017 Joe Orton - 2.2.1-1
+- update to 2.2.1 (#1462474)
+
+* Fri Feb 10 2017 Fedora Release Engineering - 2.2.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Tue Jun 21 2016 Joe Orton - 2.2.0-1
+- update to 2.2.0 (#1247348)
+
+* Thu Jun 16 2016 Joe Orton - 2.1.1-2
+- add security fixes for CVE-2016-0718, CVE-2012-6702, CVE-2016-5300,
+ CVE-2016-4472
+
+* Mon Apr 18 2016 David Tardon - 2.1.1-1
+- new upstream release
+
+* Wed Feb 03 2016 Fedora Release Engineering - 2.1.0-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jun 17 2015 Fedora Release Engineering - 2.1.0-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Feb 21 2015 Till Maas - 2.1.0-11
+- Rebuilt for Fedora 23 Change
+ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Sat Aug 16 2014 Fedora Release Engineering - 2.1.0-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jul 12 2014 Tom Callaway - 2.1.0-9
+- fix license handling
+
+* Sat Jun 07 2014 Fedora Release Engineering - 2.1.0-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Aug 03 2013 Fedora Release Engineering - 2.1.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jun 17 2013 Joe Orton - 2.1.0-6
+- fix "xmlwf -h" output (#948534)
+
+* Wed Feb 13 2013 Fedora Release Engineering - 2.1.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Jul 19 2012 Fedora Release Engineering - 2.1.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Apr 13 2012 Joe Orton - 2.1.0-3
+- add -static subpackage (#722647)
+
+* Fri Mar 30 2012 Joe Orton - 2.1.0-1
+- ship .pc file, move library back to libdir (#808399)
+
+* Mon Mar 26 2012 Joe Orton - 2.1.0-1
+- update to 2.1.0 (#806602)
+
+* Fri Jan 13 2012 Fedora Release Engineering - 2.0.1-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Feb 08 2011 Fedora Release Engineering - 2.0.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Feb 8 2010 Joe Orton - 2.0.1-10
+- revised fix for CVE-2009-3560 regression (#544996)
+
+* Sun Jan 31 2010 Joe Orton - 2.0.1-9
+- drop static libraries (#556046)
+- add fix for regression in CVE-2009-3560 patch (#544996)
+
+* Tue Dec 1 2009 Joe Orton - 2.0.1-8
+- add security fix for CVE-2009-3560 (#533174)
+- add security fix for CVE-2009-3720 (#531697)
+- run the test suite
+
+* Fri Jul 24 2009 Fedora Release Engineering - 2.0.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Tue Feb 24 2009 Fedora Release Engineering - 2.0.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Tue Feb 19 2008 Fedora Release Engineering - 2.0.1-5
+- Autorebuild for GCC 4.3
+
+* Wed Jan 23 2008 Joe Orton 2.0.1-4
+- chmod 644 even more documentation (#429806)
+
+* Tue Jan 8 2008 Joe Orton 2.0.1-3
+- chmod 644 the documentation (#427950)
+
+* Wed Aug 22 2007 Joe Orton 2.0.1-2
+- rebuild
+
+* Wed Aug 8 2007 Joe Orton 2.0.1-1
+- update to 2.0.1
+- fix the License tag
+- drop the .la file
+
+* Sun Feb 4 2007 Joe Orton 1.95.8-10
+- remove trailing dot in Summary (#225742)
+- use preferred BuildRoot per packaging guidelines (#225742)
+
+* Tue Jan 30 2007 Joe Orton 1.95.8-9
+- regenerate configure/libtool correctly (#199361)
+- strip DSP files from examples (#186889)
+- fix expat.h compilation with g++ -pedantic (#190244)
+
+* Wed Jul 12 2006 Jesse Keating - 1.95.8-8.2.1
+- rebuild
+
+* Fri Feb 10 2006 Jesse Keating - 1.95.8-8.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating - 1.95.8-8.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Tue Jan 31 2006 Joe Orton 1.95.8-8
+- restore .la file for apr-util
+
+* Mon Jan 30 2006 Joe Orton 1.95.8-7
+- move library to /lib (#178743)
+- omit .la file (#170031)
+
+* Fri Dec 09 2005 Jesse Keating
+- rebuilt
+
+* Tue Mar 8 2005 Joe Orton 1.95.8-6
+- rebuild
+
+* Thu Nov 25 2004 Ivana Varekova 1.95.8
+- update to 1.95.8
+
+* Wed Jun 16 2004 Jeff Johnson 1.95.7-4
+- add -fPIC (#125586).
+
+* Tue Jun 15 2004 Elliot Lee
+- rebuilt
+
+* Fri Jun 11 2004 Jeff Johnson 1.95.7-2
+- fix: malloc failure from dbus test suite (#124747).
+
+* Tue Mar 02 2004 Elliot Lee
+- rebuilt
+
+* Sun Feb 22 2004 Joe Orton 1.95.7-1
+- update to 1.95.7, include COPYING file in main package
+
+* Fri Feb 13 2004 Elliot Lee
+- rebuilt
+
+* Wed Sep 17 2003 Matt Wilson 1.95.5-6
+- rebuild again for #91211
+
+* Tue Sep 16 2003 Matt Wilson 1.95.5-5
+- rebuild to fix gzip'ed file md5sums (#91211)
+
+* Tue Jun 17 2003 Jeff Johnson 1.95.5-4
+- rebuilt because of crt breakage on ppc64.
+
+* Wed Jun 04 2003 Elliot Lee
+- rebuilt
+
+* Wed Jan 22 2003 Tim Powers
+- rebuilt
+
+* Mon Nov 11 2002 Jeff Johnson 1.95.5-1
+- update to 1.95.5.
+
+* Mon Aug 19 2002 Trond Eivind Glomsrød 1,95.4-1
+- 1.95.4. 1.95.3 was withdrawn by the expat developers.
+
+* Fri Jun 21 2002 Tim Powers
+- automated rebuild
+
+* Thu Jun 6 2002 Trond Eivind Glomsrød 1,95.3-1
+- 1.95.3
+
+* Thu May 23 2002 Tim Powers
+- automated rebuild
+
+* Fri Mar 22 2002 Trond Eivind Glomsrød
+- Change a prereq in -devel on main package to a req
+- License from MIT/X11 to BSD
+
+* Mon Mar 11 2002 Trond Eivind Glomsrød
+- 1.95.2
+
+* Sun Jun 24 2001 Elliot Lee
+- Bump release + rebuild.
+
+* Tue Oct 24 2000 Jeff Johnson
+- update to 1.95.1
+
+* Sun Oct 8 2000 Jeff Johnson
+- Create.