[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#859131: marked as done (unblock: openpyxl/2.3.0-3)



Your message dated Thu, 30 Mar 2017 19:12:00 +0000
with message-id <2a28e070-2d6b-d2d9-26c6-1dd14cc886f1@thykier.net>
and subject line Re: Bug#859131: unblock: openpyxl/2.3.0-3
has caused the Debian Bug report #859131,
regarding unblock: openpyxl/2.3.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
859131: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859131
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Not the maintainer here.

Please unblock package openpyxl

Unfortunately it looks an unblock for this update was never requested.
openpyxl/2.3.0-3 fixed CVE-2017-5992, allowing a remote attacker to
conduct XXE attacks via crafted .xlsx document.

This is #854442 in the Debian BTS.

Attached the generated debdiff from the version in testing.

unblock openpyxl/2.3.0-3

Regards,
Salvatore
diff -Nru openpyxl-2.3.0/debian/changelog openpyxl-2.3.0/debian/changelog
--- openpyxl-2.3.0/debian/changelog	2016-04-27 03:51:00.000000000 +0200
+++ openpyxl-2.3.0/debian/changelog	2017-02-07 15:37:53.000000000 +0100
@@ -1,3 +1,10 @@
+openpyxl (2.3.0-3) unstable; urgency=medium
+
+  * Do not resolve entities with lxml to avoid XXE vulnerability
+    - patch up_no_lxml (Closes: #854442)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 07 Feb 2017 09:37:53 -0500
+
 openpyxl (2.3.0-2) unstable; urgency=medium
 
   * debian/control
diff -Nru openpyxl-2.3.0/debian/patches/series openpyxl-2.3.0/debian/patches/series
--- openpyxl-2.3.0/debian/patches/series	2016-04-27 03:51:00.000000000 +0200
+++ openpyxl-2.3.0/debian/patches/series	2017-02-07 15:37:53.000000000 +0100
@@ -1,2 +1,3 @@
+up_no_lxml
 deb_no_et_xml_file
 up_python3_print
diff -Nru openpyxl-2.3.0/debian/patches/up_no_lxml openpyxl-2.3.0/debian/patches/up_no_lxml
--- openpyxl-2.3.0/debian/patches/up_no_lxml	1970-01-01 01:00:00.000000000 +0100
+++ openpyxl-2.3.0/debian/patches/up_no_lxml	2017-02-07 15:37:53.000000000 +0100
@@ -0,0 +1,84 @@
+From: Yaroslav Halchenko <debian@onerussian.com>
+Subject: do not resolve entities 
+
+Adopted from upstream's commit on top of more recent release
+
+Origin: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1
+Bug-Debian: http://bugs.debian.org/854442
+Applied-Upstream:  2017-01-17
+Last-Update: 2017-02-07
+
+--- a/openpyxl/conftest.py
++++ b/openpyxl/conftest.py
+@@ -47,4 +47,8 @@ def pytest_runtest_setup(item):
+             from lxml.etree import LIBXML_VERSION
+             if LIBXML_VERSION < (3, 4, 0, 0):
+                 pytest.skip("LXML >= 3.4 is required")
++        elif item.get_marker("no_lxml"):
++            from openpyxl import LXML
++            if LXML:
++                pytest.skip("LXML has a different interface")
+ 
+--- a/openpyxl/xml/functions.py
++++ b/openpyxl/xml/functions.py
+@@ -21,11 +21,14 @@ if LXML is True:
+     fromstring,
+     tostring,
+     register_namespace,
+-    iterparse,
+     QName,
+-    xmlfile
++    xmlfile,
++    XMLParser,
+     )
+     from xml.etree.cElementTree import iterparse
++    # do not resolve entities
++    safe_parser = XMLParser(resolve_entities=False)
++    fromstring = partial(fromstring, parser=safe_parser)
+ else:
+     try:
+         from xml.etree.cElementTree import (
+--- a/openpyxl/xml/tests/test_functions.py
++++ b/openpyxl/xml/tests/test_functions.py
+@@ -2,6 +2,7 @@ import pytest
+ 
+ from openpyxl.xml.functions import ConditionalElement
+ 
++import xml
+ 
+ @pytest.fixture
+ def root():
+@@ -50,3 +51,26 @@ def test_localtag(xml, tag):
+     from .. functions import fromstring
+     node = fromstring(xml)
+     assert localname(node) == tag
++
++
++@pytest.mark.lxml_required
++def test_dont_resolve():
++    from ..functions import fromstring
++    s = b"""<?xml version="1.0" encoding="ISO-8859-1"?>
++            <!DOCTYPE foo [
++            <!ELEMENT foo ANY >
++            <!ENTITY xxe SYSTEM "file:///dev/random" >]>
++            <foo>&xxe;</foo>"""
++    node = fromstring(s)
++
++
++@pytest.mark.no_lxml
++def test_dont_resolve():
++    from ..functions import fromstring
++    s = b"""<?xml version="1.0" encoding="ISO-8859-1"?>
++            <!DOCTYPE foo [
++            <!ELEMENT foo ANY >
++            <!ENTITY xxe SYSTEM "file:///dev/random" >]>
++            <foo>&xxe;</foo>"""
++    with pytest.raises(xml.etree.ElementTree.ParseError):
++        node = fromstring(s)
+--- a/pytest.ini
++++ b/pytest.ini
+@@ -9,3 +9,4 @@ markers =
+     not_py33: Do not run test on Python 3.
+     lxml_required: lxml required to run test
+     lxml_buffering: lxml >= 3.4.0 required
++    no_lxml: do not use lxml

--- End Message ---
--- Begin Message ---
Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Not the maintainer here.
> 
> Please unblock package openpyxl
> 
> Unfortunately it looks an unblock for this update was never requested.
> openpyxl/2.3.0-3 fixed CVE-2017-5992, allowing a remote attacker to
> conduct XXE attacks via crafted .xlsx document.
> 
> This is #854442 in the Debian BTS.
> 
> Attached the generated debdiff from the version in testing.
> 
> unblock openpyxl/2.3.0-3
> 
> Regards,
> Salvatore
> 

Unblocked, thanks for making us aware of it. :)

~Niels

--- End Message ---

Reply to: