--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:owslib
Please unblock package owslib
It is affected by CVE-2023-27476 reported in #1034182.
[ Reason ]
Fixes security issue and missing recommended dependencies.
[ Impact ]
Unfixed security issue.
[ Tests ]
Upstream test suite.
[ Risks ]
Low, the changes are pretty straight forward.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Testing autoremoval of rdeps would remove qgis which is one of, if not the,
most important GIS packages for users.
The package has not been unloaded to unstable yet.
unblock owslib/0.27.2-3
diff -Nru owslib-0.27.2/debian/changelog owslib-0.27.2/debian/changelog
--- owslib-0.27.2/debian/changelog 2022-11-07 19:38:12.000000000 +0100
+++ owslib-0.27.2/debian/changelog 2023-04-11 06:30:11.000000000 +0200
@@ -1,3 +1,16 @@
+owslib (0.27.2-3) unstable; urgency=medium
+
+ * Team upload.
+ * Add Rules-Requires-Root to control file.
+ * Add py3dist overrides for dataclasses.
+ * Fix 'Recommends' typo.
+ * Bump Standards-Version to 4.6.2, no changes.
+ * Add upstream patch to fix CVE-2023-27476.
+ (closes: #1034182)
+ * Add python3-lxml to build dependencies.
+
+ -- Bas Couwenberg <[email protected]> Tue, 11 Apr 2023 06:30:11 +0200
+
owslib (0.27.2-2) unstable; urgency=medium
* Team upload.
diff -Nru owslib-0.27.2/debian/control owslib-0.27.2/debian/control
--- owslib-0.27.2/debian/control 2022-10-19 11:58:01.000000000 +0200
+++ owslib-0.27.2/debian/control 2023-04-11 06:29:20.000000000 +0200
@@ -8,22 +8,23 @@
dh-python,
python3-all,
python3-dateutil,
+ python3-lxml,
python3-pytest,
python3-requests,
python3-setuptools,
python3-tz,
python3-yaml
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
Vcs-Browser: https://salsa.debian.org/debian-gis-team/owslib
Vcs-Git: https://salsa.debian.org/debian-gis-team/owslib.git
Homepage: https://geopython.github.com/OWSLib/
+Rules-Requires-Root: no
Package: python3-owslib
Architecture: all
-Depends: python3-lxml,
- ${python3:Depends},
+Depends: ${python3:Depends},
${misc:Depends}
-Recommeds: python3-pyproj
+Recommends: python3-pyproj
Description: Client library for Open Geospatial (OGC) web services (Python 3)
OWSLib is a Python package for client programming with Open Geospatial
Consortium (OGC) web service (hence OWS) interface standards, and their
diff -Nru owslib-0.27.2/debian/patches/series
owslib-0.27.2/debian/patches/series
--- owslib-0.27.2/debian/patches/series 2022-10-19 11:58:01.000000000 +0200
+++ owslib-0.27.2/debian/patches/series 2023-04-11 06:25:37.000000000 +0200
@@ -1 +1,2 @@
yaml-safe_load.patch
+use-only-lxml-for-XML-handling.patch
diff -Nru owslib-0.27.2/debian/patches/use-only-lxml-for-XML-handling.patch
owslib-0.27.2/debian/patches/use-only-lxml-for-XML-handling.patch
--- owslib-0.27.2/debian/patches/use-only-lxml-for-XML-handling.patch
1970-01-01 01:00:00.000000000 +0100
+++ owslib-0.27.2/debian/patches/use-only-lxml-for-XML-handling.patch
2023-04-11 06:28:15.000000000 +0200
@@ -0,0 +1,318 @@
+Description: use only lxml for XML handling
+ Fixes CVE-2023-27476
+Author: Tom Kralidis <[email protected]>
+Origin:
https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063
+Bug: https://github.com/geopython/OWSLib/pull/863
+Bug-Debian: https://bugs.debian.org/1034182
+
+--- a/.github/workflows/main.yml
++++ b/.github/workflows/main.yml
+@@ -8,9 +8,7 @@ jobs:
+ strategy:
+ matrix:
+ python-version: [3.6, 3.7, 3.8, 3.9]
+- lxml: [true, false]
+ env:
+- LXML: ${{ matrix.lxml }}
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ COVERALLS_SERVICE_NAME: github
+ steps:
+@@ -28,8 +26,6 @@ jobs:
+ pip3 install -e .
+ pip3 install -r requirements.txt
+ pip3 install -r requirements-dev.txt
+- echo "LXML => $LXML"
+- if [ "$LXML" == "true" ]; then pip install lxml; fi
+ - name: run tests ⚙️
+ run: python3 -m pytest
+ - name: run coveralls ⚙️
+--- a/docs/en/installation.rst
++++ b/docs/en/installation.rst
+@@ -4,7 +4,7 @@ Installation
+ Requirements
+ ------------
+
+-OWSLib requires a Python interpreter, as well as `ElementTree
<https://docs.python.org/2/library/xml.etree.elementtree.html>`_ or `lxml
<http://lxml.de>`_ for XML parsing.
++OWSLib requires a Python interpreter, as well as `lxml <https://lxml.de>`_
for XML parsing.
+
+ Install
+ -------
+--- a/etc/debian/control
++++ b/etc/debian/control
+@@ -9,5 +9,5 @@ Homepage: http://geopython.github.com/OW
+
+ Package: python-owslib
+ Architecture: all
+-Depends: ${misc:Depends}, debconf, python (>=2.7), python-lxml
++Depends: ${misc:Depends}, debconf, python (>=3), python-lxml
+ Description: OWSLib is a Python package for client programming with Open
Geospatial Consortium (OGC) web service (hence OWS) interface standards, and
their related content models.
+--- a/owslib/catalogue/csw2.py
++++ b/owslib/catalogue/csw2.py
+@@ -226,11 +226,6 @@ class CatalogueServiceWeb(object):
+ else:
+ # construct request
+ node0 = self._setrootelement('csw:GetRecords')
+- if etree.__name__ != 'lxml.etree': # apply nsmap manually
+- node0.set('xmlns:ows', namespaces['ows'])
+- node0.set('xmlns:gmd', namespaces['gmd'])
+- node0.set('xmlns:dif', namespaces['dif'])
+- node0.set('xmlns:fgdc', namespaces['fgdc'])
+ node0.set('outputSchema', outputschema)
+ node0.set('outputFormat', format)
+ node0.set('version', self.version)
+@@ -354,11 +349,6 @@ class CatalogueServiceWeb(object):
+ else:
+ # construct request
+ node0 = self._setrootelement('csw:GetRecords')
+- if etree.__name__ != 'lxml.etree': # apply nsmap manually
+- node0.set('xmlns:ows', namespaces['ows'])
+- node0.set('xmlns:gmd', namespaces['gmd'])
+- node0.set('xmlns:dif', namespaces['dif'])
+- node0.set('xmlns:fgdc', namespaces['fgdc'])
+ node0.set('outputSchema', outputschema)
+ node0.set('outputFormat', format)
+ node0.set('version', self.version)
+@@ -622,10 +612,7 @@ class CatalogueServiceWeb(object):
+ return el
+
+ def _setrootelement(self, el):
+- if etree.__name__ == 'lxml.etree': # apply nsmap
+- return etree.Element(util.nspath_eval(el, namespaces),
nsmap=namespaces)
+- else:
+- return etree.Element(util.nspath_eval(el, namespaces))
++ return etree.Element(util.nspath_eval(el, namespaces),
nsmap=namespaces)
+
+ def _setconstraint(self, parent, qtype=None, propertyname='csw:AnyText',
keywords=[], bbox=None, cql=None,
+ identifier=None):
+--- a/owslib/catalogue/csw3.py
++++ b/owslib/catalogue/csw3.py
+@@ -242,11 +242,6 @@ class CatalogueServiceWeb(object):
+ else:
+ # construct request
+ node0 = self._setrootelement('csw30:GetRecords')
+- if etree.__name__ != 'lxml.etree': # apply nsmap manually
+- node0.set('xmlns:ows110', namespaces['ows110'])
+- node0.set('xmlns:gmd', namespaces['gmd'])
+- node0.set('xmlns:dif', namespaces['dif'])
+- node0.set('xmlns:fgdc', namespaces['fgdc'])
+ node0.set('outputSchema', outputschema)
+ node0.set('outputFormat', format)
+ node0.set('version', self.version)
+@@ -516,10 +511,7 @@ class CatalogueServiceWeb(object):
+ return el
+
+ def _setrootelement(self, el):
+- if etree.__name__ == 'lxml.etree': # apply nsmap
+- return etree.Element(util.nspath_eval(el, namespaces),
nsmap=namespaces)
+- else:
+- return etree.Element(util.nspath_eval(el, namespaces))
++ return etree.Element(util.nspath_eval(el, namespaces),
nsmap=namespaces)
+
+ def _setconstraint(self, parent, qtype=None,
propertyname='csw30:AnyText', keywords=[], bbox=None, cql=None,
+ identifier=None):
+--- a/owslib/etree.py
++++ b/owslib/etree.py
+@@ -4,37 +4,33 @@
+ # Contact email: [email protected]
+ #
=============================================================================
+
++
++from lxml import etree
++from lxml.etree import ParseError
++ElementType = etree._Element
++
+ from owslib.namespaces import Namespaces
+
+
+-def patch_well_known_namespaces(etree_module):
+- """Monkey patches the etree module to add some well-known namespaces."""
++def patch_well_known_namespaces():
++ """Monkey patches lxml.etree to add some well-known namespaces."""
+
+ ns = Namespaces()
+
+ try:
+- register_namespace = etree_module.register_namespace
++ register_namespace = etree.register_namespace
+ except AttributeError:
+- etree_module._namespace_map
++ etree._namespace_map
+
+ def register_namespace(prefix, uri):
+- etree_module._namespace_map[uri] = prefix
++ etree._namespace_map[uri] = prefix
+
+ for k, v in list(ns.get_namespaces().items()):
+ register_namespace(k, v)
+
++ etree.set_default_parser(
++ parser=etree.XMLParser(resolve_entities=False)
++ )
+
+-# try to find lxml or elementtree
+-try:
+- from lxml import etree
+- from lxml.etree import ParseError
+- ElementType = etree._Element
+-except ImportError:
+- import xml.etree.ElementTree as etree
+- ElementType = etree.Element
+- try:
+- from xml.etree.ElementTree import ParseError
+- except ImportError:
+- from xml.parsers.expat import ExpatError as ParseError
+
+-patch_well_known_namespaces(etree)
++patch_well_known_namespaces()
+--- a/owslib/feature/schema.py
++++ b/owslib/feature/schema.py
+@@ -13,7 +13,7 @@ import sys
+ from urllib.parse import urlencode, parse_qsl
+ from owslib.etree import etree
+ from owslib.namespaces import Namespaces
+-from owslib.util import which_etree, findall, Authentication, openURL
++from owslib.util import findall, Authentication, openURL
+
+ MYNS = Namespaces()
+ XS_NAMESPACE = MYNS.get_namespace("xs")
+--- a/owslib/util.py
++++ b/owslib/util.py
+@@ -277,11 +277,8 @@ def nspath_eval(xpath, namespaces):
+
+ def cleanup_namespaces(element):
+ """ Remove unused namespaces from an element """
+- if etree.__name__ == 'lxml.etree':
+- etree.cleanup_namespaces(element)
+- return element
+- else:
+- return etree.fromstring(etree.tostring(element))
++ etree.cleanup_namespaces(element)
++ return element
+
+
+ def add_namespaces(root, ns_keys):
+@@ -292,35 +289,34 @@ def add_namespaces(root, ns_keys):
+
+ ns_keys = [(x, namespaces.get_namespace(x)) for x in ns_keys]
+
+- if etree.__name__ != 'lxml.etree':
+- # We can just add more namespaces when not using lxml.
+- # We can't re-add an existing namespaces. Get a list of current
+- # namespaces in use
+- existing_namespaces = set()
+- for elem in root.iter():
+- if elem.tag[0] == "{":
+- uri, tag = elem.tag[1:].split("}")
+-
existing_namespaces.add(namespaces.get_namespace_from_url(uri))
+- for key, link in ns_keys:
+- if link is not None and key not in existing_namespaces:
+- root.set("xmlns:%s" % key, link)
+- return root
+- else:
+- # lxml does not support setting xmlns attributes
+- # Update the elements nsmap with new namespaces
+- new_map = root.nsmap
+- for key, link in ns_keys:
+- if link is not None:
+- new_map[key] = link
+- # Recreate the root element with updated nsmap
+- new_root = etree.Element(root.tag, nsmap=new_map)
+- # Carry over attributes
+- for a, v in list(root.items()):
+- new_root.set(a, v)
+- # Carry over children
+- for child in root:
+- new_root.append(deepcopy(child))
+- return new_root
++ # lxml does not support setting xmlns attributes
++ # Update the elements nsmap with new namespaces
++ new_map = root.nsmap
++ for key, link in ns_keys:
++ if link is not None:
++ new_map[key] = link
++ # Recreate the root element with updated nsmap
++ new_root = etree.Element(root.tag, nsmap=new_map)
++ # Carry over attributes
++ for a, v in list(root.items()):
++ new_root.set(a, v)
++ # Carry over children
++ for child in root:
++ new_root.append(deepcopy(child))
++ return new_root
++
++ # We can just add more namespaces when not using lxml.
++ # We can't re-add an existing namespaces. Get a list of current
++ # namespaces in use
++ existing_namespaces = set()
++ for elem in root.iter():
++ if elem.tag[0] == "{":
++ uri, tag = elem.tag[1:].split("}")
++ existing_namespaces.add(namespaces.get_namespace_from_url(uri))
++ for key, link in ns_keys:
++ if link is not None and key not in existing_namespaces:
++ root.set("xmlns:%s" % key, link)
++ return root
+
+
+ def getXMLInteger(elem, tag):
+@@ -495,21 +491,14 @@ def element_to_string(element, encoding=
+ if encoding is None:
+ encoding = "ISO-8859-1"
+
+- if etree.__name__ == 'lxml.etree':
+- if xml_declaration:
+- if encoding in ['unicode', 'utf-8']:
+- output = '<?xml version="1.0" encoding="utf-8"
standalone="no"?>\n{}'.format(
+- etree.tostring(element, encoding='unicode'))
+- else:
+- output = etree.tostring(element, encoding=encoding,
xml_declaration=True)
++ if xml_declaration:
++ if encoding in ['unicode', 'utf-8']:
++ output = '<?xml version="1.0" encoding="utf-8"
standalone="no"?>\n{}'.format(
++ etree.tostring(element, encoding='unicode'))
+ else:
+- output = etree.tostring(element)
++ output = etree.tostring(element, encoding=encoding,
xml_declaration=True)
+ else:
+- if xml_declaration:
+- output = '<?xml version="1.0" encoding="{}"
standalone="no"?>\n{}'.format(
+- encoding, etree.tostring(element, encoding=encoding))
+- else:
+- output = etree.tostring(element)
++ output = etree.tostring(element)
+
+ return output
+
+@@ -753,21 +742,6 @@ log = logging.getLogger('owslib')
+ log.addHandler(NullHandler())
+
+
+-def which_etree():
+- """decipher which etree library is being used by OWSLib"""
+-
+- which_etree = None
+-
+- if 'lxml' in etree.__file__:
+- which_etree = 'lxml.etree'
+- elif 'xml/etree' in etree.__file__:
+- which_etree = 'xml.etree'
+- elif 'elementree' in etree.__file__:
+- which_etree = 'elementtree.ElementTree'
+-
+- return which_etree
+-
+-
+ def findall(root, xpath, attribute_name=None, attribute_value=None):
+ """Find elements recursively from given root element based on
+ xpath and possibly given attribute
+--- a/requirements.txt
++++ b/requirements.txt
+@@ -1,5 +1,6 @@
++dataclasses; python_version < '3.7'
++lxml
+ python-dateutil>=1.5
+ pytz
+-requests>=1.0
+ pyyaml
+-dataclasses; python_version < '3.7'
++requests>=1.0
diff -Nru owslib-0.27.2/debian/patches/yaml-safe_load.patch
owslib-0.27.2/debian/patches/yaml-safe_load.patch
--- owslib-0.27.2/debian/patches/yaml-safe_load.patch 2022-10-19
11:58:12.000000000 +0200
+++ owslib-0.27.2/debian/patches/yaml-safe_load.patch 2023-04-11
06:22:17.000000000 +0200
@@ -2,6 +2,7 @@
Author: Bas Couwenberg <[email protected]>
Bug-Debian: https://bugs.debian.org/1022033
Forwarded: https://github.com/geopython/OWSLib/pull/838
+Applied-Upstream:
https://github.com/geopython/OWSLib/commit/13b1443f7120c9d703adf0beb443ef2bcd86d8d4
--- a/owslib/ogcapi/__init__.py
+++ b/owslib/ogcapi/__init__.py
diff -Nru owslib-0.27.2/debian/py3dist-overrides
owslib-0.27.2/debian/py3dist-overrides
--- owslib-0.27.2/debian/py3dist-overrides 1970-01-01 01:00:00.000000000
+0100
+++ owslib-0.27.2/debian/py3dist-overrides 2023-02-20 15:10:08.000000000
+0100
@@ -0,0 +1,2 @@
+# only required for Python < 3.7
+dataclasses
--- End Message ---
OpenPGP_signature
