Your message dated Thu, 30 Mar 2017 19:12:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#859131: unblock: openpyxl/2.3.0-3
has caused the Debian Bug report #859131,
regarding unblock: openpyxl/2.3.0-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859131: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859131
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi
Not the maintainer here.
Please unblock package openpyxl
Unfortunately it looks an unblock for this update was never requested.
openpyxl/2.3.0-3 fixed CVE-2017-5992, allowing a remote attacker to
conduct XXE attacks via crafted .xlsx document.
This is #854442 in the Debian BTS.
Attached the generated debdiff from the version in testing.
unblock openpyxl/2.3.0-3
Regards,
Salvatore
diff -Nru openpyxl-2.3.0/debian/changelog openpyxl-2.3.0/debian/changelog
--- openpyxl-2.3.0/debian/changelog 2016-04-27 03:51:00.000000000 +0200
+++ openpyxl-2.3.0/debian/changelog 2017-02-07 15:37:53.000000000 +0100
@@ -1,3 +1,10 @@
+openpyxl (2.3.0-3) unstable; urgency=medium
+
+ * Do not resolve entities with lxml to avoid XXE vulnerability
+ - patch up_no_lxml (Closes: #854442)
+
+ -- Yaroslav Halchenko <[email protected]> Tue, 07 Feb 2017 09:37:53 -0500
+
openpyxl (2.3.0-2) unstable; urgency=medium
* debian/control
diff -Nru openpyxl-2.3.0/debian/patches/series
openpyxl-2.3.0/debian/patches/series
--- openpyxl-2.3.0/debian/patches/series 2016-04-27 03:51:00.000000000
+0200
+++ openpyxl-2.3.0/debian/patches/series 2017-02-07 15:37:53.000000000
+0100
@@ -1,2 +1,3 @@
+up_no_lxml
deb_no_et_xml_file
up_python3_print
diff -Nru openpyxl-2.3.0/debian/patches/up_no_lxml
openpyxl-2.3.0/debian/patches/up_no_lxml
--- openpyxl-2.3.0/debian/patches/up_no_lxml 1970-01-01 01:00:00.000000000
+0100
+++ openpyxl-2.3.0/debian/patches/up_no_lxml 2017-02-07 15:37:53.000000000
+0100
@@ -0,0 +1,84 @@
+From: Yaroslav Halchenko <[email protected]>
+Subject: do not resolve entities
+
+Adopted from upstream's commit on top of more recent release
+
+Origin: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1
+Bug-Debian: http://bugs.debian.org/854442
+Applied-Upstream: 2017-01-17
+Last-Update: 2017-02-07
+
+--- a/openpyxl/conftest.py
++++ b/openpyxl/conftest.py
+@@ -47,4 +47,8 @@ def pytest_runtest_setup(item):
+ from lxml.etree import LIBXML_VERSION
+ if LIBXML_VERSION < (3, 4, 0, 0):
+ pytest.skip("LXML >= 3.4 is required")
++ elif item.get_marker("no_lxml"):
++ from openpyxl import LXML
++ if LXML:
++ pytest.skip("LXML has a different interface")
+
+--- a/openpyxl/xml/functions.py
++++ b/openpyxl/xml/functions.py
+@@ -21,11 +21,14 @@ if LXML is True:
+ fromstring,
+ tostring,
+ register_namespace,
+- iterparse,
+ QName,
+- xmlfile
++ xmlfile,
++ XMLParser,
+ )
+ from xml.etree.cElementTree import iterparse
++ # do not resolve entities
++ safe_parser = XMLParser(resolve_entities=False)
++ fromstring = partial(fromstring, parser=safe_parser)
+ else:
+ try:
+ from xml.etree.cElementTree import (
+--- a/openpyxl/xml/tests/test_functions.py
++++ b/openpyxl/xml/tests/test_functions.py
+@@ -2,6 +2,7 @@ import pytest
+
+ from openpyxl.xml.functions import ConditionalElement
+
++import xml
+
+ @pytest.fixture
+ def root():
+@@ -50,3 +51,26 @@ def test_localtag(xml, tag):
+ from .. functions import fromstring
+ node = fromstring(xml)
+ assert localname(node) == tag
++
++
[email protected]_required
++def test_dont_resolve():
++ from ..functions import fromstring
++ s = b"""<?xml version="1.0" encoding="ISO-8859-1"?>
++ <!DOCTYPE foo [
++ <!ELEMENT foo ANY >
++ <!ENTITY xxe SYSTEM "file:///dev/random" >]>
++ <foo>&xxe;</foo>"""
++ node = fromstring(s)
++
++
[email protected]_lxml
++def test_dont_resolve():
++ from ..functions import fromstring
++ s = b"""<?xml version="1.0" encoding="ISO-8859-1"?>
++ <!DOCTYPE foo [
++ <!ELEMENT foo ANY >
++ <!ENTITY xxe SYSTEM "file:///dev/random" >]>
++ <foo>&xxe;</foo>"""
++ with pytest.raises(xml.etree.ElementTree.ParseError):
++ node = fromstring(s)
+--- a/pytest.ini
++++ b/pytest.ini
+@@ -9,3 +9,4 @@ markers =
+ not_py33: Do not run test on Python 3.
+ lxml_required: lxml required to run test
+ lxml_buffering: lxml >= 3.4.0 required
++ no_lxml: do not use lxml
--- End Message ---
--- Begin Message ---
Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Hi
>
> Not the maintainer here.
>
> Please unblock package openpyxl
>
> Unfortunately it looks an unblock for this update was never requested.
> openpyxl/2.3.0-3 fixed CVE-2017-5992, allowing a remote attacker to
> conduct XXE attacks via crafted .xlsx document.
>
> This is #854442 in the Debian BTS.
>
> Attached the generated debdiff from the version in testing.
>
> unblock openpyxl/2.3.0-3
>
> Regards,
> Salvatore
>
Unblocked, thanks for making us aware of it. :)
~Niels
--- End Message ---
