Bug#859131: unblock: openpyxl/2.3.0-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi
Not the maintainer here.
Please unblock package openpyxl
Unfortunately it looks an unblock for this update was never requested.
openpyxl/2.3.0-3 fixed CVE-2017-5992, allowing a remote attacker to
conduct XXE attacks via crafted .xlsx document.
This is #854442 in the Debian BTS.
Attached the generated debdiff from the version in testing.
unblock openpyxl/2.3.0-3
Regards,
Salvatore
diff -Nru openpyxl-2.3.0/debian/changelog openpyxl-2.3.0/debian/changelog
--- openpyxl-2.3.0/debian/changelog 2016-04-27 03:51:00.000000000 +0200
+++ openpyxl-2.3.0/debian/changelog 2017-02-07 15:37:53.000000000 +0100
@@ -1,3 +1,10 @@
+openpyxl (2.3.0-3) unstable; urgency=medium
+
+ * Do not resolve entities with lxml to avoid XXE vulnerability
+ - patch up_no_lxml (Closes: #854442)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 07 Feb 2017 09:37:53 -0500
+
openpyxl (2.3.0-2) unstable; urgency=medium
* debian/control
diff -Nru openpyxl-2.3.0/debian/patches/series openpyxl-2.3.0/debian/patches/series
--- openpyxl-2.3.0/debian/patches/series 2016-04-27 03:51:00.000000000 +0200
+++ openpyxl-2.3.0/debian/patches/series 2017-02-07 15:37:53.000000000 +0100
@@ -1,2 +1,3 @@
+up_no_lxml
deb_no_et_xml_file
up_python3_print
diff -Nru openpyxl-2.3.0/debian/patches/up_no_lxml openpyxl-2.3.0/debian/patches/up_no_lxml
--- openpyxl-2.3.0/debian/patches/up_no_lxml 1970-01-01 01:00:00.000000000 +0100
+++ openpyxl-2.3.0/debian/patches/up_no_lxml 2017-02-07 15:37:53.000000000 +0100
@@ -0,0 +1,84 @@
+From: Yaroslav Halchenko <debian@onerussian.com>
+Subject: do not resolve entities
+
+Adopted from upstream's commit on top of more recent release
+
+Origin: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1
+Bug-Debian: http://bugs.debian.org/854442
+Applied-Upstream: 2017-01-17
+Last-Update: 2017-02-07
+
+--- a/openpyxl/conftest.py
++++ b/openpyxl/conftest.py
+@@ -47,4 +47,8 @@ def pytest_runtest_setup(item):
+ from lxml.etree import LIBXML_VERSION
+ if LIBXML_VERSION < (3, 4, 0, 0):
+ pytest.skip("LXML >= 3.4 is required")
++ elif item.get_marker("no_lxml"):
++ from openpyxl import LXML
++ if LXML:
++ pytest.skip("LXML has a different interface")
+
+--- a/openpyxl/xml/functions.py
++++ b/openpyxl/xml/functions.py
+@@ -21,11 +21,14 @@ if LXML is True:
+ fromstring,
+ tostring,
+ register_namespace,
+- iterparse,
+ QName,
+- xmlfile
++ xmlfile,
++ XMLParser,
+ )
+ from xml.etree.cElementTree import iterparse
++ # do not resolve entities
++ safe_parser = XMLParser(resolve_entities=False)
++ fromstring = partial(fromstring, parser=safe_parser)
+ else:
+ try:
+ from xml.etree.cElementTree import (
+--- a/openpyxl/xml/tests/test_functions.py
++++ b/openpyxl/xml/tests/test_functions.py
+@@ -2,6 +2,7 @@ import pytest
+
+ from openpyxl.xml.functions import ConditionalElement
+
++import xml
+
+ @pytest.fixture
+ def root():
+@@ -50,3 +51,26 @@ def test_localtag(xml, tag):
+ from .. functions import fromstring
+ node = fromstring(xml)
+ assert localname(node) == tag
++
++
++@pytest.mark.lxml_required
++def test_dont_resolve():
++ from ..functions import fromstring
++ s = b"""<?xml version="1.0" encoding="ISO-8859-1"?>
++ <!DOCTYPE foo [
++ <!ELEMENT foo ANY >
++ <!ENTITY xxe SYSTEM "file:///dev/random" >]>
++ <foo>&xxe;</foo>"""
++ node = fromstring(s)
++
++
++@pytest.mark.no_lxml
++def test_dont_resolve():
++ from ..functions import fromstring
++ s = b"""<?xml version="1.0" encoding="ISO-8859-1"?>
++ <!DOCTYPE foo [
++ <!ELEMENT foo ANY >
++ <!ENTITY xxe SYSTEM "file:///dev/random" >]>
++ <foo>&xxe;</foo>"""
++ with pytest.raises(xml.etree.ElementTree.ParseError):
++ node = fromstring(s)
+--- a/pytest.ini
++++ b/pytest.ini
+@@ -9,3 +9,4 @@ markers =
+ not_py33: Do not run test on Python 3.
+ lxml_required: lxml required to run test
+ lxml_buffering: lxml >= 3.4.0 required
++ no_lxml: do not use lxml
Reply to: