555836 – xqilla blatantly includes its own copy of xerces

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 555836 - xqilla blatantly includes its own copy of xerces

Summary: xqilla blatantly includes its own copy of xerces

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xqilla
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Jonathan Robie
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	DuplicSysLibsTracker
TreeView+	depends on / blocked

Reported:	2010-01-15 17:19 UTC by Toshio Ernie Kuratomi
Modified:	2013-08-06 00:53 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-08 23:11:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Toshio Ernie Kuratomi 2010-01-15 17:19:15 UTC

Description of problem:

xqilla includes its own version of the xerces source as a second Source: line in the spec file.

The packaging Guidelines are very clear that this is not allowed:
  https://fedoraproject.org/wiki/Packaging:Guidelines#Duplication_of_system_libraries
  https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries

Additionally:
The latest XQilla, xqilla-2.2.3 has this in the configure.in: 

if test "$xerces_version_major" -lt "3" -a "$xerces_source_tree" = "no"; then
   AC_MSG_ERROR([For Xerces-C versions before 3.0 the source tree is required
to build XQilla. You must specify the path to the Xerces-C source tree using
--with-xerces.])
fi

So it looks like the latest xqilla and xerces-3.x can fix this problem.

Note that the latest entry in our xerces-c package says:
Our Xerces package has this as its most recent changelog:
* Thu Aug 06 2009 Peter Lemenkov <lemenkov> 2.8.0-5
- Fix CVE-2009-1885

Which mitre.org says is an application crash DOS.  This is not addressed in the version of xerces that xqilla bundles.

Comment 1 Carl G. 2010-01-15 21:32:45 UTC

Thank you for taking the time to fill this bug report. Since it's against the packaging guideline devel-list have been noticed.

http://lists.fedoraproject.org/pipermail/devel/2010-January/129283.html

---

Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 2 Jonathan Robie 2010-01-19 13:52:35 UTC

XQilla can use any version of Xerces >= 2.8, but versions earlier than Xerces 3.0 require additional header files not provided by Xerces (these are shipped with Xerces as of 3.0).

I propose to fix this by adding the needed headers if the Xerces version is < 3.0, or using the installed Xerces otherwise. In either case, XQilla will not use a private copy of Xerces.

Comment 3 Toshio Ernie Kuratomi 2010-01-21 16:46:46 UTC

From John Snelson in Bug#511425

In order to build XQilla 2.2.3 against Xerces-C 2.8 (or any version before
3.0), XQilla requires the following (formerly) private headers:

xercesc/dom/impl/DOMAttrImpl.hpp
xercesc/dom/impl/DOMCasts.hpp
xercesc/dom/impl/DOMDocumentImpl.hpp
xercesc/dom/impl/DOMDocumentTypeImpl.hpp
xercesc/dom/impl/DOMElementNSImpl.hpp
xercesc/dom/impl/DOMNodeImpl.hpp
xercesc/dom/impl/DOMRangeImpl.hpp
xercesc/dom/impl/DOMTypeInfoImpl.hpp
xercesc/dom/impl/DOMWriterImpl.hpp

Packaging XQilla along with these headers from Xerces-C should allow a stand
alone build without the Xerces-C source code (ie: from a normal install of
Xerces-C).

Comment 4 Toshio Ernie Kuratomi 2010-01-21 17:51:15 UTC

I've been talking with jrobie. We have two options open to us:

1) update xerces-c to 3.x and then xqilla will build without a bundled version of the library.  This is what we want to do for rawhide.  It may mean that packages already in Fedora either need to port or we may need a compat package:
http://xerces.apache.org/xerces-c/migrate-archive-3.html

2) pull just the private header files from John Snelson's list into xqilla and build with those.  This might be better for EL-5 and F-11/F-12 since moving to xerces-c-3 would be discouraged for a released Fedora (and more strictly discouraged for EPEL).

Comment 5 Jonathan Robie 2010-03-05 01:06:31 UTC

Fixed on rawhide.

Tracking on F-11, F-12 via Bug 511425.

Note You need to log in before you can comment on or make changes to this bug.