Red Hat Bugzilla – Bug 555836
xqilla blatantly includes its own copy of xerces
Last modified: 2013-08-05 20:53:44 EDT
Description of problem:
xqilla includes its own version of the xerces source as a second Source: line in the spec file.
The packaging Guidelines are very clear that this is not allowed:
The latest XQilla, xqilla-2.2.3 has this in the configure.in:
if test "$xerces_version_major" -lt "3" -a "$xerces_source_tree" = "no"; then
AC_MSG_ERROR([For Xerces-C versions before 3.0 the source tree is required
to build XQilla. You must specify the path to the Xerces-C source tree using
So it looks like the latest xqilla and xerces-3.x can fix this problem.
Note that the latest entry in our xerces-c package says:
Our Xerces package has this as its most recent changelog:
* Thu Aug 06 2009 Peter Lemenkov <email@example.com> 2.8.0-5
- Fix CVE-2009-1885
Which mitre.org says is an application crash DOS. This is not addressed in the version of xerces that xqilla bundles.
Thank you for taking the time to fill this bug report. Since it's against the packaging guideline devel-list have been noticed.
Fedora Bugzappers volunteer triage team
XQilla can use any version of Xerces >= 2.8, but versions earlier than Xerces 3.0 require additional header files not provided by Xerces (these are shipped with Xerces as of 3.0).
I propose to fix this by adding the needed headers if the Xerces version is < 3.0, or using the installed Xerces otherwise. In either case, XQilla will not use a private copy of Xerces.
From John Snelson in Bug#511425
In order to build XQilla 2.2.3 against Xerces-C 2.8 (or any version before
3.0), XQilla requires the following (formerly) private headers:
Packaging XQilla along with these headers from Xerces-C should allow a stand
alone build without the Xerces-C source code (ie: from a normal install of
I've been talking with jrobie. We have two options open to us:
1) update xerces-c to 3.x and then xqilla will build without a bundled version of the library. This is what we want to do for rawhide. It may mean that packages already in Fedora either need to port or we may need a compat package:
2) pull just the private header files from John Snelson's list into xqilla and build with those. This might be better for EL-5 and F-11/F-12 since moving to xerces-c-3 would be discouraged for a released Fedora (and more strictly discouraged for EPEL).
Fixed on rawhide.
Tracking on F-11, F-12 via Bug 511425.