commit perl-XML-Twig for openSUSE:Factory

Tue, 21 Jul 2020 06:39:44 -0700 

Hello community,

here is the log from the commit of package perl-XML-Twig for openSUSE:Factory 
checked in at 2020-07-21 15:39:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-XML-Twig (Old)
 and      /work/SRC/openSUSE:Factory/.perl-XML-Twig.new.3592 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "perl-XML-Twig"

Tue Jul 21 15:39:11 2020 rev:34 rq:821341 version:3.52

Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-XML-Twig/perl-XML-Twig.changes      
2016-11-25 12:25:38.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.perl-XML-Twig.new.3592/perl-XML-Twig.changes    
2020-07-21 15:39:16.111437807 +0200
@@ -1,0 +2,14 @@
+Mon Jul 13 17:35:09 UTC 2020 - Pedro Monreal Gonzalez 
<[email protected]>
+
+- Security fix [bsc#1008644, CVE-2016-9180]
+  * Setting expand_external_ents to 0 or -1 currently doesn't work  
+    as expected; To completely turn off expanding external entities
+    use no_xxe.
+  * Update documentation for XML::Twig to mention problems with
+    expand_external_ents and add information about new no_xxe argument
+  * Add test CVE-2016-9180.t
+  * Add test build-requirements:
+    perl-Test-Exception, perl-Text-Iconv, perl-Unicode-Map8
+- Add perl-XML-Twig-CVE-2016-9180.patch
+
+-------------------------------------------------------------------

New:
----
  perl-XML-Twig-CVE-2016-9180.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ perl-XML-Twig.spec ++++++
--- /var/tmp/diff_new_pack.kQ8fnL/_old  2020-07-21 15:39:16.819438740 +0200
+++ /var/tmp/diff_new_pack.kQ8fnL/_new  2020-07-21 15:39:16.823438746 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package perl-XML-Twig
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -21,11 +21,12 @@
 Release:        0
 %define cpan_name XML-Twig
 Summary:        Perl Module for Processing Huge Xml Documents in Tree Mode
-License:        Artistic-1.0 or GPL-1.0+
+License:        Artistic-1.0 OR GPL-1.0-or-later
 Group:          Development/Libraries/Perl
-Url:            http://search.cpan.org/dist/XML-Twig/
-Source0:        
http://www.cpan.org/authors/id/M/MI/MIROD/%{cpan_name}-%{version}.tar.gz
+URL:            https://metacpan.org/release/%{cpan_name}
+Source0:        
https://www.cpan.org/authors/id/M/MI/MIROD/%{cpan_name}-%{version}.tar.gz
 Source1:        cpanspec.yml
+Patch0:         perl-XML-Twig-CVE-2016-9180.patch
 BuildArch:      noarch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  perl
@@ -37,9 +38,12 @@
 BuildRequires:  expat
 BuildRequires:  perl-HTML-Tidy
 BuildRequires:  perl-IO-CaptureOutput
+BuildRequires:  perl-Test-Exception
 BuildRequires:  perl-Test-Pod
+BuildRequires:  perl-Text-Iconv
 BuildRequires:  perl-Text-Wrapper
 BuildRequires:  perl-Tie-IxHash
+BuildRequires:  perl-Unicode-Map8
 BuildRequires:  perl-XML-Filter-BufferText
 BuildRequires:  perl-XML-Handler-YAWriter
 BuildRequires:  perl-XML-Parser
@@ -50,11 +54,6 @@
 Requires:       expat
 Requires:       perl-XML-Parser
 Requires:       perl(Encode)
-BuildRequires:  perl-HTML-Tidy
-BuildRequires:  perl-Text-Wrapper
-BuildRequires:  perl-Tie-IxHash
-BuildRequires:  perl-XML-XPath
-BuildRequires:  perl-XML-XPathEngine
 # MANUAL END
 
 %description
@@ -76,13 +75,14 @@
 %prep
 %setup -q -n %{cpan_name}-%{version}
 find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
+%patch0 -p1
 
 %build
-%{__perl} Makefile.PL INSTALLDIRS=vendor
-%{__make} %{?_smp_mflags}
+perl Makefile.PL INSTALLDIRS=vendor
+make %{?_smp_mflags}
 
 %check
-%{__make} test
+make test
 
 %install
 %perl_make_install

++++++ cpanspec.yml ++++++
--- /var/tmp/diff_new_pack.kQ8fnL/_old  2020-07-21 15:39:16.855438788 +0200
+++ /var/tmp/diff_new_pack.kQ8fnL/_new  2020-07-21 15:39:16.855438788 +0200
@@ -4,16 +4,18 @@
 #sources:
 #  - source1
 #  - source2
-#patches:
-#  foo.patch: -p1
-#  bar.patch:
+patches:
+  perl-XML-Twig-CVE-2016-9180.patch: -p1
 preamble: |-
  BuildRequires:  expat
  BuildRequires:  perl-HTML-Tidy
  BuildRequires:  perl-IO-CaptureOutput
+ BuildRequires:  perl-Test-Exception
  BuildRequires:  perl-Test-Pod
+ BuildRequires:  perl-Text-Iconv
  BuildRequires:  perl-Text-Wrapper
  BuildRequires:  perl-Tie-IxHash
+ BuildRequires:  perl-Unicode-Map8
  BuildRequires:  perl-XML-Filter-BufferText
  BuildRequires:  perl-XML-Handler-YAWriter
  BuildRequires:  perl-XML-Parser
@@ -24,8 +26,3 @@
  Requires:       expat
  Requires:       perl-XML-Parser
  Requires:       perl(Encode)
- BuildRequires:     perl-HTML-Tidy
- BuildRequires:     perl-Text-Wrapper
- BuildRequires:     perl-Tie-IxHash
- BuildRequires:     perl-XML-XPath
- BuildRequires:     perl-XML-XPathEngine

++++++ perl-XML-Twig-CVE-2016-9180.patch ++++++
Description: Update documentation for XML::Twig.
 Mention problems with expand_external_ents and add
 information about new no_xxe argument.
 .
 Additionally add tests for both expand_external_ents and no_xxe.
Origin: vendor
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
Bug-Debian: https://bugs.debian.org/842893
Author: gregor herrmann <[email protected]>
Last-Update: 2019-03-30

--- a/Twig_pm.slow
+++ b/Twig_pm.slow
@@ -10454,6 +10454,15 @@
 pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
 cases.  
 
+B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
+as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
+To completely turn off expanding external entities use C<no_xxe>.
+
+=item no_xxe
+
+If this argument is set to a true value, expanding of external entities is
+turned off.
+
 =item load_DTD
 
 If this argument is set to a true value, C<parse> or C<parsefile> on the twig
--- /dev/null
+++ b/t/CVE-2016-9180.t
@@ -0,0 +1,41 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Test::More;
+use Test::Exception;
+
+BEGIN { use_ok('XML::Twig'); }
+
+my $twig = XML::Twig->new( expand_external_ents => 1 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+my $result = $twig->sprint;
+like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
+
+TODO: {
+    local $TODO = 'This test currently fails: 
https://rt.cpan.org/Public/Bug/Display.html?id=118097';
+
+$twig = XML::Twig->new( expand_external_ents => 0 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+unlike( $result, qr/Boom/,
+    'external entity not expanded (expand_external_ents 0)' );
+
+$twig = XML::Twig->new( expand_external_ents => -1 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+unlike( $result, qr/Boom/,
+    'external entity not expanded and no fail (expand_external_ents -1)' );
+
+}
+
+$twig = XML::Twig->new( no_xxe => 1 );
+throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
+    'external entity not expanded (no_xxe 1)';
+
+$twig = XML::Twig->new( no_xxe => 0 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
+
+done_testing();
--- /dev/null
+++ b/t/CVE-2016-9180.txt
@@ -0,0 +1 @@
+Boom
--- /dev/null
+++ b/t/CVE-2016-9180.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+       <!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
+]>
+<root>&xxe;</root>

Reply via email to