Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Not the maintainer here. Please unblock package openpyxl Unfortunately it looks an unblock for this update was never requested. openpyxl/2.3.0-3 fixed CVE-2017-5992, allowing a remote attacker to conduct XXE attacks via crafted .xlsx document. This is #854442 in the Debian BTS. Attached the generated debdiff from the version in testing. unblock openpyxl/2.3.0-3 Regards, Salvatore
diff -Nru openpyxl-2.3.0/debian/changelog openpyxl-2.3.0/debian/changelog --- openpyxl-2.3.0/debian/changelog 2016-04-27 03:51:00.000000000 +0200 +++ openpyxl-2.3.0/debian/changelog 2017-02-07 15:37:53.000000000 +0100 @@ -1,3 +1,10 @@ +openpyxl (2.3.0-3) unstable; urgency=medium + + * Do not resolve entities with lxml to avoid XXE vulnerability + - patch up_no_lxml (Closes: #854442) + + -- Yaroslav Halchenko <deb...@onerussian.com> Tue, 07 Feb 2017 09:37:53 -0500 + openpyxl (2.3.0-2) unstable; urgency=medium * debian/control diff -Nru openpyxl-2.3.0/debian/patches/series openpyxl-2.3.0/debian/patches/series --- openpyxl-2.3.0/debian/patches/series 2016-04-27 03:51:00.000000000 +0200 +++ openpyxl-2.3.0/debian/patches/series 2017-02-07 15:37:53.000000000 +0100 @@ -1,2 +1,3 @@ +up_no_lxml deb_no_et_xml_file up_python3_print diff -Nru openpyxl-2.3.0/debian/patches/up_no_lxml openpyxl-2.3.0/debian/patches/up_no_lxml --- openpyxl-2.3.0/debian/patches/up_no_lxml 1970-01-01 01:00:00.000000000 +0100 +++ openpyxl-2.3.0/debian/patches/up_no_lxml 2017-02-07 15:37:53.000000000 +0100 @@ -0,0 +1,84 @@ +From: Yaroslav Halchenko <deb...@onerussian.com> +Subject: do not resolve entities + +Adopted from upstream's commit on top of more recent release + +Origin: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 +Bug-Debian: http://bugs.debian.org/854442 +Applied-Upstream: 2017-01-17 +Last-Update: 2017-02-07 + +--- a/openpyxl/conftest.py ++++ b/openpyxl/conftest.py +@@ -47,4 +47,8 @@ def pytest_runtest_setup(item): + from lxml.etree import LIBXML_VERSION + if LIBXML_VERSION < (3, 4, 0, 0): + pytest.skip("LXML >= 3.4 is required") ++ elif item.get_marker("no_lxml"): ++ from openpyxl import LXML ++ if LXML: ++ pytest.skip("LXML has a different interface") + +--- a/openpyxl/xml/functions.py ++++ b/openpyxl/xml/functions.py +@@ -21,11 +21,14 @@ if LXML is True: + fromstring, + tostring, + register_namespace, +- iterparse, + QName, +- xmlfile ++ xmlfile, ++ XMLParser, + ) + from xml.etree.cElementTree import iterparse ++ # do not resolve entities ++ safe_parser = XMLParser(resolve_entities=False) ++ fromstring = partial(fromstring, parser=safe_parser) + else: + try: + from xml.etree.cElementTree import ( +--- a/openpyxl/xml/tests/test_functions.py ++++ b/openpyxl/xml/tests/test_functions.py +@@ -2,6 +2,7 @@ import pytest + + from openpyxl.xml.functions import ConditionalElement + ++import xml + + @pytest.fixture + def root(): +@@ -50,3 +51,26 @@ def test_localtag(xml, tag): + from .. functions import fromstring + node = fromstring(xml) + assert localname(node) == tag ++ ++ ++@pytest.mark.lxml_required ++def test_dont_resolve(): ++ from ..functions import fromstring ++ s = b"""<?xml version="1.0" encoding="ISO-8859-1"?> ++ <!DOCTYPE foo [ ++ <!ELEMENT foo ANY > ++ <!ENTITY xxe SYSTEM "file:///dev/random" >]> ++ <foo>&xxe;</foo>""" ++ node = fromstring(s) ++ ++ ++@pytest.mark.no_lxml ++def test_dont_resolve(): ++ from ..functions import fromstring ++ s = b"""<?xml version="1.0" encoding="ISO-8859-1"?> ++ <!DOCTYPE foo [ ++ <!ELEMENT foo ANY > ++ <!ENTITY xxe SYSTEM "file:///dev/random" >]> ++ <foo>&xxe;</foo>""" ++ with pytest.raises(xml.etree.ElementTree.ParseError): ++ node = fromstring(s) +--- a/pytest.ini ++++ b/pytest.ini +@@ -9,3 +9,4 @@ markers = + not_py33: Do not run test on Python 3. + lxml_required: lxml required to run test + lxml_buffering: lxml >= 3.4.0 required ++ no_lxml: do not use lxml