commit perl-Net-Dropbox-API for openSUSE:Factory

Source-Sync Sat, 31 May 2025 10:18:11 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package perl-Net-Dropbox-API for 
openSUSE:Factory checked in at 2025-05-31 19:15:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-Net-Dropbox-API (Old)
 and      /work/SRC/openSUSE:Factory/.perl-Net-Dropbox-API.new.16005 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "perl-Net-Dropbox-API"

Sat May 31 19:15:39 2025 rev:4 rq:1281384 version:1.900.0

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/perl-Net-Dropbox-API/perl-Net-Dropbox-API.changes    
    2025-02-09 20:47:26.827979723 +0100
+++ 
/work/SRC/openSUSE:Factory/.perl-Net-Dropbox-API.new.16005/perl-Net-Dropbox-API.changes
     2025-05-31 19:16:32.685959542 +0200
@@ -1,0 +2,7 @@
+Wed May 28 14:58:49 UTC 2025 - Tina Müller <tina.muel...@suse.com>
+
+- Add urandom.patch for secure tokens
+  https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036 bsc#1240884
+  Add cpanspec.yml file used by cpanspec for autogenerating the spec.
+
+-------------------------------------------------------------------

New:
----
  cpanspec.yml
  urandom.patch

BETA DEBUG BEGIN:
  New:
- Add urandom.patch for secure tokens
  https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036 bsc#1240884
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ perl-Net-Dropbox-API.spec ++++++
--- /var/tmp/diff_new_pack.tdoamW/_old  2025-05-31 19:16:33.529994423 +0200
+++ /var/tmp/diff_new_pack.tdoamW/_new  2025-05-31 19:16:33.529994423 +0200
@@ -26,6 +26,9 @@
 Summary:        Dropbox API interface
 URL:            https://metacpan.org/release/%{cpan_name}
 Source0:        
https://cpan.metacpan.org/authors/id/N/NO/NORBU/%{cpan_name}-%{cpan_version}.tar.gz
+Source1:        cpanspec.yml
+# PATCH-FIX-OPENSUSE https://github.com/norbu09/Net--Dropbox/pull/20 
CVE-2024-58036
+Patch0:         urandom.patch
 BuildArch:      noarch
 BuildRequires:  perl
 BuildRequires:  perl-macros
@@ -49,6 +52,10 @@
 Provides:       perl(Net::Dropbox::API) = %{version}
 %undefine       __perllib_provides
 %{perl_requires}
+# MANUAL BEGIN
+BuildRequires:  perl(Crypt::URandom)
+Requires:       perl(Crypt::URandom)
+# MANUAL END
 
 %description
 A dropbox API interface

++++++ cpanspec.yml ++++++
---
#description_paragraphs: 3
#description: |-
#  override description from CPAN
#summary: override summary from CPAN
#no_testing: broken upstream
#sources:
#  - source1
#  - source2
patches:
  urandom.patch: -p1 PATCH-FIX-OPENSUSE 
https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036
#  bar.patch:
#  baz.patch: PATCH-FIX-OPENSUSE
preamble: |-
  BuildRequires:  perl(Crypt::URandom)
  Requires:       perl(Crypt::URandom)
#post_prep: |-
# hunspell=`pkg-config --libs hunspell | sed -e 's,-l,,; s,  *,,g'`
# sed -i -e "s,hunspell-X,$hunspell," t/00-prereq.t Makefile.PL 
#post_build: |-
# rm unused.files
#post_install: |-
# sed on %{name}.files
#license: SUSE-NonFree
#skip_noarch: 1
#custom_build: |-
#./Build build flags=%{?_smp_mflags} --myflag
#custom_test: |-
#startserver && make test
#ignore_requires: Bizarre::Module
#skip_doc: regexp_to_skip_for_doc.*
#add_doc: files to add to docs
#misc: |-
#anything else to be added to spec file
#follows directly after %files section, so it can contain new blocks or also
#changes to %files section

++++++ urandom.patch ++++++
commit e3a854a4305004b1b930dcde16e609ebccc9d78b
Author: Tina Müller <cp...@tinita.de>
Date:   Wed May 28 16:21:08 2025 +0200

    Use Crypt::URandom for generation of nonce
    
    See https://nvd.nist.gov/vuln/detail/CVE-2024-58036
    
    The result is a string of hex digits with the same length as before, 16.

diff --git a/Makefile.PL b/Makefile.PL
index 0865ac2..301aac2 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -12,7 +12,7 @@ requires 'JSON';
 requires 'Mouse';
 requires 'Encode';
 requires 'Net::OAuth';
-requires 'Data::Random';
+requires 'Crypt::URandom';
 requires 'common::sense';
 requires 'File::Basename';
 requires 'LWP::UserAgent';
diff --git a/lib/Net/Dropbox/API.pm b/lib/Net/Dropbox/API.pm
index bcdec21..3d53799 100644
--- a/lib/Net/Dropbox/API.pm
+++ b/lib/Net/Dropbox/API.pm
@@ -8,7 +8,7 @@ use Net::OAuth;
 use LWP::UserAgent;
 use URI;
 use HTTP::Request::Common;
-use Data::Random qw(rand_chars);
+use Crypt::URandom qw(urandom);
 use Encode;
 
 =head1 NAME
@@ -382,7 +382,7 @@ Generate a different nonce for every request.
 
 =cut
 
-sub nonce { join( '', rand_chars( size => 16, set => 'alphanumeric' )); }
+sub nonce { unpack("H*", urandom(8)); }
 
 sub _talk {
     my $self    = shift;
diff --git a/t/nonce.t b/t/nonce.t
new file mode 100644
index 0000000..7be9762
--- /dev/null
+++ b/t/nonce.t
@@ -0,0 +1,9 @@
+use strict;
+use warnings;
+use Test::More;
+use Net::Dropbox::API;
+
+my $nonce = Net::Dropbox::API::nonce();
+like $nonce, qr{^[a-zA-Z0-9]{16}\z}, 'expected nonce content';
+
+done_testing;

commit perl-Net-Dropbox-API for openSUSE:Factory

Reply via email to