From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
From: Vitezslav Crhonek <vcrhonek@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/xmlstarlet] rawhide: Fix XXE (XML External Entity) vulnerability
Date: Mon, 01 Jun 2026 12:55:01 GMT
Message-ID: <178031850153.1.6112976747040434828.rpms-xmlstarlet-28345a471730@fedoraproject.org>
List-ID: <git-commits.fedoraproject.org>
X-Git-Repo: rpms/xmlstarlet
X-Git-Branch: rawhide
X-Git-Rev: 28345a47173054f5de79b15b6cc5ec23a9bf30b9

ICAgICAgICAgICAgQSBuZXcgY29tbWl0IGhhcyBiZWVuIHB1c2hlZC4KCiAgICAgICAgICAgIFJl
cG8gICA6IHJwbXMveG1sc3RhcmxldAogICAgICAgICAgICBCcmFuY2ggOiByYXdoaWRlCiAgICAg
ICAgICAgIENvbW1pdCA6IDI4MzQ1YTQ3MTczMDU0ZjVkZTc5YjE1YjZjYzVlYzIzYTliZjMwYjkK
ICAgICAgICAgICAgQXV0aG9yIDogVml0ZXpzbGF2IENyaG9uZWsgPHZjcmhvbmVrQHJlZGhhdC5j
b20+CiAgICAgICAgICAgIERhdGUgICA6IDIwMjYtMDUtMjdUMDg6NTU6NDQrMDI6MDAKICAgICAg
ICAgICAgU3RhdHMgIDogKzY4Ly0xIGluIDIgZmlsZShzKQogICAgICAgICAgICBVUkwgICAgOiBo
dHRwczovL3NyYy5mZWRvcmFwcm9qZWN0Lm9yZy9ycG1zL3htbHN0YXJsZXQvYy8yODM0NWE0NzE3
MzA1NGY1ZGU3OWIxNWI2Y2M1ZWMyM2E5YmYzMGI5P2JyYW5jaD1yYXdoaWRlCgogICAgICAgICAg
ICBMb2c6CiAgICAgICAgICAgIEZpeCBYWEUgKFhNTCBFeHRlcm5hbCBFbnRpdHkpIHZ1bG5lcmFi
aWxpdHkKCk1hcmsgcmVsZXZhbnQgdGVzdCBhcyBleHBlY3RlZCB0byBmYWlsLiBNYXJrIGFsc28K
YmlneG1sIHRlc3RzIGFzIGV4cGVjdGVkIHRvIGZhaWwsIHByb2JhYmx5IGR1ZSBsaWJ4bWwyCmNo
YW5nZXMgaW4gUmF3aGlkZS4KCi0tLQpkaWZmIC0tZ2l0IGEveG1sc3RhcmxldC0xLjYuMS1maXgt
eHhlLnBhdGNoIGIveG1sc3RhcmxldC0xLjYuMS1maXgteHhlLnBhdGNoCm5ldyBmaWxlIG1vZGUg
MTAwNjQ0CmluZGV4IDAwMDAwMDAuLjI3MDc0N2MKLS0tIC9kZXYvbnVsbAorKysgYi94bWxzdGFy
bGV0LTEuNi4xLWZpeC14eGUucGF0Y2gKQEAgLTAsMCArMSw2MiBAQAorZGlmZiAtTmF1ciB4bWxz
dGFybGV0LTEuNi4xLm9yaWcvZXhhbXBsZXMvdGVzdHMubWsgeG1sc3RhcmxldC0xLjYuMS9leGFt
cGxlcy90ZXN0cy5taworLS0tIHhtbHN0YXJsZXQtMS42LjEub3JpZy9leGFtcGxlcy90ZXN0cy5t
awkyMDEzLTA2LTIyIDE3OjM2OjU2LjAwMDAwMDAwMCArMDIwMAorKysrIHhtbHN0YXJsZXQtMS42
LjEvZXhhbXBsZXMvdGVzdHMubWsJMjAyNi0wNS0yNiAxMzozMToxMy44ODY4OTQyNDQgKzAyMDAK
K0BAIC05OCw3ICs5OCwxMyBAQAorIAorIFhGQUlMX1RFU1RTID1cCisgZXhhbXBsZXMvYmlneG1s
LWR0ZFwKKy1leGFtcGxlcy9lZC1uYW1lc3BhY2UKKytleGFtcGxlcy9lZC1uYW1lc3BhY2VcCisr
ZXhhbXBsZXMvZXh0ZXJuYWwtZW50aXR5XAorK2V4YW1wbGVzL2JpZ3htbC1lbWJlZC1yZWZcCisr
ZXhhbXBsZXMvYmlneG1sLWVtYmVkXAorK2V4YW1wbGVzL2JpZ3htbC1yZWxheG5nXAorK2V4YW1w
bGVzL2JpZ3htbC13ZWxsLWZvcm1lZFwKKytleGFtcGxlcy9iaWd4bWwteHNkCisgCisgaWYgIUhB
VkVfRVhTTFRfWFBBVEhfUkVHSVNURVIKKyBYRkFJTF9URVNUUyArPSBleGFtcGxlcy9leHNsdC1l
ZAorZGlmZiAtTmF1ciB4bWxzdGFybGV0LTEuNi4xLm9yaWcvc3JjL3RyYW5zLmMgeG1sc3Rhcmxl
dC0xLjYuMS9zcmMvdHJhbnMuYworLS0tIHhtbHN0YXJsZXQtMS42LjEub3JpZy9zcmMvdHJhbnMu
YwkyMDEyLTA4LTEyIDE3OjE4OjU5LjAwMDAwMDAwMCArMDIwMAorKysrIHhtbHN0YXJsZXQtMS42
LjEvc3JjL3RyYW5zLmMJMjAyNi0wNS0yNiAxMzozMToyMC4yNDAwNjQ5NjcgKzAyMDAKK0BAIC0x
NzQsNyArMTc0LDEwIEBACisgICAgIGludCBpLCBvcHRpb25zID0gMDsKKyAKKyAgICAgb3B0aW9u
cyA9IFhTTFRfUEFSU0VfT1BUSU9OUzsKKy0gICAgIAorKyAgICAvKiBEaXNhYmxlIGVudGl0eSBl
eHBhbnNpb24gdG8gcHJldmVudCBYWEUgYXR0YWNrcyAqLworKyAgICBvcHRpb25zICY9IH5YTUxf
UEFSU0VfTk9FTlQ7CisrICAgIG9wdGlvbnMgfD0gWE1MX1BBUlNFX05PTkVUOworKworICAgICAv
KgorICAgICAgKiBDb21waWxlIFhTTFQgU3lsZXNoZWV0CisgICAgICAqLworZGlmZiAtTmF1ciB4
bWxzdGFybGV0LTEuNi4xLm9yaWcvc3JjL3htbF9DMTROLmMgeG1sc3RhcmxldC0xLjYuMS9zcmMv
eG1sX0MxNE4uYworLS0tIHhtbHN0YXJsZXQtMS42LjEub3JpZy9zcmMveG1sX0MxNE4uYwkyMDEy
LTA4LTEyIDE3OjE4OjU5LjAwMDAwMDAwMCArMDIwMAorKysrIHhtbHN0YXJsZXQtMS42LjEvc3Jj
L3htbF9DMTROLmMJMjAyNi0wNS0yNiAxMzozMToyMC4yNDAxNzMyNTYgKzAyMDAKK0BAIC02Miw4
ICs2Miw4IEBACisgICAgICAqLworIAorICAgICBkb2MgPSB4bWxSZWFkRmlsZSh4bWxfZmlsZW5h
bWUsIE5VTEwsCistICAgICAgICBYTUxfUEFSU0VfTk9FTlQgfCBYTUxfUEFSU0VfRFRETE9BRCB8
CistICAgICAgICBYTUxfUEFSU0VfRFREQVRUUiB8IChub25ldD8gWE1MX1BBUlNFX05PTkVUOjAp
KTsKKysgICAgICAgIFhNTF9QQVJTRV9EVERMT0FEIHwKKysgICAgICAgIFhNTF9QQVJTRV9EVERB
VFRSIHwgWE1MX1BBUlNFX05PTkVUKTsKKyAgICAgaWYgKGRvYyA9PSBOVUxMKSB7CisgICAgICAg
ICBmcHJpbnRmKHN0ZGVyciwgIkVycm9yOiB1bmFibGUgdG8gcGFyc2UgZmlsZSBcIiVzXCJcbiIs
IHhtbF9maWxlbmFtZSk7CisgICAgICAgICByZXR1cm4oRVhJVF9CQURfRklMRSk7CitkaWZmIC1O
YXVyIHhtbHN0YXJsZXQtMS42LjEub3JpZy9zcmMveG1sX3NlbGVjdC5jIHhtbHN0YXJsZXQtMS42
LjEvc3JjL3htbF9zZWxlY3QuYworLS0tIHhtbHN0YXJsZXQtMS42LjEub3JpZy9zcmMveG1sX3Nl
bGVjdC5jCTIwMTQtMDMtMDMgMDE6MTU6MDguMDAwMDAwMDAwICswMTAwCisrKysgeG1sc3Rhcmxl
dC0xLjYuMS9zcmMveG1sX3NlbGVjdC5jCTIwMjYtMDUtMjYgMTM6MzE6MjAuMjQwMjc2NTgwICsw
MjAwCitAQCAtNzA4LDkgKzcwOCw5IEBACisgICAgIHNlbEluaXRPcHRpb25zKCZvcHMpOworICAg
ICB4c2x0SW5pdE9wdGlvbnMoJnhzbHRPcHMpOworICAgICBzdGFydCA9IHNlbFBhcnNlT3B0aW9u
cygmb3BzLCBhcmdjLCBhcmd2KTsKKy0gICAgeG1sX29wdGlvbnMgfD0gWE1MX1BBUlNFX05PRU5U
OyAvKiBzdWJzdGl0dXRlIGVudGl0aWVzICovCisrICAgIC8qIFhNTF9QQVJTRV9OT0VOVCByZW1v
dmVkIHRvIHByZXZlbnQgWFhFIGF0dGFja3MgKi8KKyAgICAgeG1sX29wdGlvbnMgfD0gWE1MX1BB
UlNFX0RUREFUVFI7IC8qIHVzZSBkZWZhdWx0IGF0dHJpYiB2YWx1ZXMgKi8KKy0gICAgeG1sX29w
dGlvbnMgfD0gb3BzLm5vbmV0PyBYTUxfUEFSU0VfTk9ORVQgOiAwOworKyAgICB4bWxfb3B0aW9u
cyB8PSBYTUxfUEFSU0VfTk9ORVQ7CisgICAgIHhzbHRPcHMubm9uZXQgPSBvcHMubm9uZXQ7Cisg
ICAgIHhzbHRPcHMubm9ibGFua3MgPSBvcHMubm9ibGFua3M7CisgICAgIHhzbHRJbml0TGliWG1s
KCZ4c2x0T3BzKTsKCmRpZmYgLS1naXQgYS94bWxzdGFybGV0LnNwZWMgYi94bWxzdGFybGV0LnNw
ZWMKaW5kZXggM2ViNDQzMy4uZjIzNzgzYiAxMDA2NDQKLS0tIGEveG1sc3RhcmxldC5zcGVjCisr
KyBiL3htbHN0YXJsZXQuc3BlYwpAQCAtMiw3ICsyLDcgQEAKIAogTmFtZTogeG1sc3RhcmxldAog
VmVyc2lvbjogMS42LjEKLVJlbGVhc2U6IDI5JXs/ZGlzdH0KK1JlbGVhc2U6IDMwJXs/ZGlzdH0K
IFN1bW1hcnk6IENvbW1hbmQgTGluZSBYTUwgVG9vbGtpdAogTGljZW5zZTogTUlUCiBVUkw6IGh0
dHA6Ly94bWxzdGFyLnNvdXJjZWZvcmdlLm5ldC8KQEAgLTEwLDYgKzEwLDggQEAgU291cmNlMDog
aHR0cDovL2Rvd25sb2Fkcy5zb3VyY2Vmb3JnZS5uZXQveG1sc3Rhci8le25hbWV9LSV7dmVyc2lv
bn0udGFyLmd6CiAjIGh0dHBzOi8vc291cmNlZm9yZ2UubmV0L3AveG1sc3Rhci9idWdzLzEwOS8K
IFBhdGNoMDogeG1sc3RhcmxldC0xLjYuMS1ub2dpdC5wYXRjaAogIyBodHRwOi8vc291cmNlZm9y
Z2UubmV0L3RyYWNrZXIvP2Z1bmM9ZGV0YWlsJmFpZD0zMjY2ODk4Jmdyb3VwX2lkPTY2NjEyJmF0
aWQ9NTE1MTA2CisjIEZpeCBmb3IgWFhFIChYTUwgRXh0ZXJuYWwgRW50aXR5KSB2dWxuZXJhYmls
aXR5CitQYXRjaDE6IHhtbHN0YXJsZXQtMS42LjEtZml4LXh4ZS5wYXRjaAogCiBCdWlsZFJlcXVp
cmVzOiBtYWtlCiBCdWlsZFJlcXVpcmVzOiBnY2MKQEAgLTUzLDYgKzU1LDkgQEAgbWFrZSBjaGVj
awogCiAKICVjaGFuZ2Vsb2cKKyogV2VkIE1heSAyNyAyMDI2IFZpdGV6c2xhdiBDcmhvbmVrIDx2
Y3Job25la0ByZWRoYXQuY29tPiAtIDEuNi4xLTMwCistIEZpeCBYWEUgKFhNTCBFeHRlcm5hbCBF
bnRpdHkpIHZ1bG5lcmFiaWxpdHkKKwogKiBTYXQgSmFuIDE3IDIwMjYgRmVkb3JhIFJlbGVhc2Ug
RW5naW5lZXJpbmcgPHJlbGVuZ0BmZWRvcmFwcm9qZWN0Lm9yZz4gLSAxLjYuMS0yOQogLSBSZWJ1
aWx0IGZvciBodHRwczovL2ZlZG9yYXByb2plY3Qub3JnL3dpa2kvRmVkb3JhXzQ0X01hc3NfUmVi
dWlsZAogCg==