Bug 78473 - Separate Openjade and OpenSP packages
Summary: Separate Openjade and OpenSP packages
Status: CLOSED DUPLICATE of bug 60409
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openjade
Version: 8.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: Brock Organ
Depends On:
TreeView+ depends on / blocked
Reported: 2002-11-24 01:13 UTC by Need Real Name
Modified: 2007-04-18 16:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-12-07 14:58:24 UTC

Attachments (Terms of Use)

Description Need Real Name 2002-11-24 01:13:43 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
The openjade and opensp packages are currently packaged together, which makes it
difficult to upgrade one and not the other.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.rpm -ql openjade

Actual Results:  list of files includes both openjade and opensp

Additional info:

GnuCash is currently working on a new version which will be the first free
software program to support OFX. This is done by the use of an external generic
library called libofx. This library requires the use of a newer version of
OpenSP than is currently included with Openjade. Currently in order to upgrade
OpenSP users have to build and install from source rather than making a separate
rpm to upgrade. Please consider changing this to facilitate upgrading OpenSP

Comment 1 Terje Bless 2002-11-27 07:49:13 UTC
Notably, OpenSP 1.5 contains a security fix that is essential for being able to
safely use onsgmls with untrusted inputs in a CGI, or similar, environment.

That is, of course, in addition to the other advantages to being able to upgrade
OpenSP to 1.5 (such as it's much improved XML and SGML support) and the fact
that OpenJade and OpenSP are also being split upstream (OpenJade 1.3.2 is
capable of being linked with an external libosp).

Comment 2 Tim Waugh 2002-11-27 09:53:58 UTC
What security fix?

Following the thread on the openjade mailing list, it looks to me like packaging
up opensp 1.5 is NOT something we want to be dealing with right now.

Comment 3 Terje Bless 2002-11-27 10:10:15 UTC
Versions of OpenSP prior to 1.5 suffer from a potential file disclosure
vulnerability when fed untrusted input. Since SGML allows references to external
entities that are automatically expanded, you could construct an input file such
that you could gain access to all files accessible to the user OpenSP is running as.

OpenSP 1.5 introduced the "-R" switch to restrict file reading to safe
directories (typically "/usr/share/sgml/" or similar).

Note that this is _only_ an issue if OpenSP is used in an environment such as
CGI where it accepts untrusted input _and_ deliver the resulting ESIS and/or
error output to a different user then the one OpenSP is running under. Typical
application that behaves in this fashion is a CGI gateway to onsgmls such as the
WDG or W3C HTML Validators.

Comment 4 Tim Waugh 2002-12-12 13:57:51 UTC
Okay, this is just a missing security feature rather than a security bug.

We'll look at openjade 1.3.2 next time round.

Comment 5 Need Real Name 2003-01-06 07:03:07 UTC
So I note that Phoebe is released just before Xmas, OpenSP 1.5 is released
beginning of november, openjade 1.3.2 released in october. I'm not sure what the
problem is with OpenSP 1.5 packaging, all I could see in the mailing list after
the release was a problem with VPATH builds which was suggested to be fixed by a
small patch submitted. Can you give me some more information about what you see
the problem with splitting these packages off from each other is here Tim?
Note that the request I made was not even that Redhat upgrade their package, but
rather that they split the rpm so that there are separated openjade and opensp
packages to facilitate upgrades. Please consider this for the release of 8.1, it
will make support of libofx a lot easier for the GnuCash team if we can tell
users they just need to upgrade OpenSP that comes with Redhat rather than do a
build of a tarball to get the required library

Comment 6 Tim Waugh 2003-01-06 14:42:21 UTC
This is too late for the upcoming release, which is why it is deferred.  We'll
get to it next time hopefully.

Comment 7 Tim Waugh 2003-03-26 15:44:22 UTC
The current rawhide openjade package contains the latest OpenSP.

Comment 8 Terje Bless 2003-03-27 08:25:38 UTC
The Summary refers to splitting OpenJade and OpenSP to make it possible to
upgrade the two independantly of eachother.

While OpenJade needs OpenSP to function -- which I guess is the main reason for
including OpenSP at all -- OpenSP has no such dependancy on OpenJade. i.e.
OpenSP in itself is interesting for some applications -- e.g. the W3C Markup
Validator and, apparently, GnuCash -- and it would be a net win for these if
OpenSP was independantly upgradeable.

Perhaps it would be possible to leave this bug open, or possibly DEFERRED, so it
can be reviewed at some later date?

Comment 9 Tim Waugh 2003-03-27 09:30:02 UTC

Comment 10 Mark J. Cox 2003-04-23 10:47:13 UTC
(removing security priority)

Comment 11 Ville Skyttä 2003-07-26 15:59:00 UTC
If it's too late to get a split version into the next RHL version, could you at
least consider making the openjade package "Provides: opensp = 1.5"?  That would
help cross-distribution packaging of applications that need OpenSP, eg. the W3C
Markup Validator at <http://validator.w3.org/>.

Comment 12 Terje Bless 2004-08-31 03:01:53 UTC
This appears to be a duplicate of Bug #60409.

Comment 13 Tim Waugh 2004-12-07 14:58:24 UTC

*** This bug has been marked as a duplicate of 60409 ***

Note You need to log in before you can comment on or make changes to this bug.