Bug 555836

Summary: xqilla blatantly includes its own copy of xerces
Product: [Fedora] Fedora Reporter: Toshio Ernie Kuratomi <a.badger>
Component: xqillaAssignee: Jonathan Robie <jonathan.robie>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: carl.gaudreault, extras-orphan, gsim, john.snelson, lemenkov
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-08 18:11:53 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 504493    

Description Toshio Ernie Kuratomi 2010-01-15 12:19:15 EST
Description of problem:

xqilla includes its own version of the xerces source as a second Source: line in the spec file.

The packaging Guidelines are very clear that this is not allowed:
  https://fedoraproject.org/wiki/Packaging:Guidelines#Duplication_of_system_libraries
  https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries

Additionally:
The latest XQilla, xqilla-2.2.3 has this in the configure.in: 

if test "$xerces_version_major" -lt "3" -a "$xerces_source_tree" = "no"; then
   AC_MSG_ERROR([For Xerces-C versions before 3.0 the source tree is required
to build XQilla. You must specify the path to the Xerces-C source tree using
--with-xerces.])
fi

So it looks like the latest xqilla and xerces-3.x can fix this problem.

Note that the latest entry in our xerces-c package says:
Our Xerces package has this as its most recent changelog:
* Thu Aug 06 2009 Peter Lemenkov <lemenkov@gmail.com> 2.8.0-5
- Fix CVE-2009-1885

Which mitre.org says is an application crash DOS.  This is not addressed in the version of xerces that xqilla bundles.
Comment 1 Carl G. 2010-01-15 16:32:45 EST
Thank you for taking the time to fill this bug report. Since it's against the packaging guideline devel-list have been noticed.

http://lists.fedoraproject.org/pipermail/devel/2010-January/129283.html

---

Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 2 Jonathan Robie 2010-01-19 08:52:35 EST
XQilla can use any version of Xerces >= 2.8, but versions earlier than Xerces 3.0 require additional header files not provided by Xerces (these are shipped with Xerces as of 3.0).

I propose to fix this by adding the needed headers if the Xerces version is < 3.0, or using the installed Xerces otherwise. In either case, XQilla will not use a private copy of Xerces.
Comment 3 Toshio Ernie Kuratomi 2010-01-21 11:46:46 EST
From John Snelson in Bug#511425

In order to build XQilla 2.2.3 against Xerces-C 2.8 (or any version before
3.0), XQilla requires the following (formerly) private headers:

xercesc/dom/impl/DOMAttrImpl.hpp
xercesc/dom/impl/DOMCasts.hpp
xercesc/dom/impl/DOMDocumentImpl.hpp
xercesc/dom/impl/DOMDocumentTypeImpl.hpp
xercesc/dom/impl/DOMElementNSImpl.hpp
xercesc/dom/impl/DOMNodeImpl.hpp
xercesc/dom/impl/DOMRangeImpl.hpp
xercesc/dom/impl/DOMTypeInfoImpl.hpp
xercesc/dom/impl/DOMWriterImpl.hpp

Packaging XQilla along with these headers from Xerces-C should allow a stand
alone build without the Xerces-C source code (ie: from a normal install of
Xerces-C).
Comment 4 Toshio Ernie Kuratomi 2010-01-21 12:51:15 EST
I've been talking with jrobie. We have two options open to us:

1) update xerces-c to 3.x and then xqilla will build without a bundled version of the library.  This is what we want to do for rawhide.  It may mean that packages already in Fedora either need to port or we may need a compat package:
http://xerces.apache.org/xerces-c/migrate-archive-3.html

2) pull just the private header files from John Snelson's list into xqilla and build with those.  This might be better for EL-5 and F-11/F-12 since moving to xerces-c-3 would be discouraged for a released Fedora (and more strictly discouraged for EPEL).
Comment 5 Jonathan Robie 2010-03-04 20:06:31 EST
Fixed on rawhide.

Tracking on F-11, F-12 via Bug 511425.