Bug 927883

Summary: Review Request: python-defusedxml - XML bomb protection for Python stdlib modules
Product: [Fedora] Fedora Reporter: Miro Hrončok <mhroncok>
Component: Package ReviewAssignee: Bohuslav "Slavek" Kabrda <bkabrda>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: aviso, bkabrda, notting, package-review
Target Milestone: ---Flags: bkabrda: fedora-review+
gwync: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.4.1-4.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-05 23:10:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 923738    
Attachments:
Description Flags
python-defusedxml-0.4.1-entity_loop.patch
none
python-defusedxml-0.4.1-format_strings.patch none

Description Miro Hrončok 2013-03-26 12:43:44 UTC
Spec URL: https://raw.github.com/hroncok/SPECS/master/python-defusedxml.spec
SRPM URL: https://github.com/downloads/hroncok/SPECS/python-defusedxml-0.4-1.fc18.src.rpm

Description:

The defusedxml package contains several Python-only workarounds and fixes for
denial of service and other vulnerabilities in Python's XML libraries. In order
to benefit from the protection you just have to import and use the listed
functions / classes from the right defusedxml module instead of the original
module.

Fedora Account System Username: churchyard

Comment 1 Bohuslav "Slavek" Kabrda 2013-03-26 15:58:13 UTC
I'll review this.

Comment 2 Bohuslav "Slavek" Kabrda 2013-03-26 16:24:37 UTC
I can't find anything wrong with this package. Rpmlint is silent (except of some typical "spelling-errors") and the package follows all guidelines.

APPROVED

Comment 3 Miro Hrončok 2013-03-26 16:47:25 UTC
New Package SCM Request
=======================
Package Name: python-defusedxml
Short Description: XML bomb protection for Python stdlib modules
Owners: churchyard bkabrda
Branches: f17 f18 f19

Comment 4 Gwyn Ciesla 2013-03-26 16:59:34 UTC
Git done (by process-git-requests).

Comment 5 Miro Hrončok 2013-03-26 17:52:34 UTC
Package Change Request
======================
Package Name: python-defusedxml
New Branches: el6
Owners: churchyard bkabrda

Comment 6 Miro Hrončok 2013-03-26 17:53:09 UTC
Sorry, I've forgot the EPEL.

Comment 7 Gwyn Ciesla 2013-03-26 18:02:49 UTC
Git done (by process-git-requests).

Comment 8 Fedora Update System 2013-03-26 18:25:58 UTC
python-defusedxml-0.4-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4-1.fc18

Comment 9 Fedora Update System 2013-03-26 18:37:04 UTC
python-defusedxml-0.4-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4-1.el6

Comment 10 Fedora Update System 2013-03-27 20:30:20 UTC
python-defusedxml-0.4-1.fc18 has been pushed to the Fedora 18 testing repository.

Comment 11 Fedora Update System 2013-04-05 23:10:35 UTC
python-defusedxml-0.4-1.fc17 has been pushed to the Fedora 17 stable repository.

Comment 12 Fedora Update System 2013-04-05 23:22:40 UTC
python-defusedxml-0.4-1.fc18 has been pushed to the Fedora 18 stable repository.

Comment 13 Fedora Update System 2013-04-13 00:13:12 UTC
python-defusedxml-0.4-1.el6 has been pushed to the Fedora EPEL 6 stable repository.

Comment 14 Avram Lubkin 2015-07-22 12:01:16 UTC
Looks like python-defusedxml was never added to EPEL 7. Can we get that added?


Also, I'm attaching a couple patches:


python-defusedxml-0.4.1-entity_loop.patch

It looks like in the mass rebuilds, --nocheck is used, so the tests don't actually run, but when I rebuild manually, I noticed a few of the tests fail with:

lxml.etree.XMLSyntaxError: Detected an entity reference loop, line 1, column 4

This is due to a security patch in libxml2. It's legitimate, but the tests are expecting the wrong exception. I emailed the maintainer about it, but haven't heard anything yet. This patch modifies the tests so they check for what is expected.


python-defusedxml-0.4.1-format_strings.patch

This is from a pull request in the defusedxml repo. It fixes some string formatting syntax so it work in Python 2.6 as well as 2.7+
https://bitbucket.org/tiran/defusedxml/pull-request/1/make-format-strings-python26-compatible/diff

Comment 15 Avram Lubkin 2015-07-22 12:04:14 UTC
Created attachment 1054818 [details]
python-defusedxml-0.4.1-entity_loop.patch

Comment 16 Avram Lubkin 2015-07-22 12:05:03 UTC
Created attachment 1054819 [details]
python-defusedxml-0.4.1-format_strings.patch

Comment 17 Miro Hrončok 2015-07-22 14:01:55 UTC
Package Change Request
======================
Package Name: python-defusedxml
New Branches: epel7
Owners: churchyard bkabrda

Comment 18 Gwyn Ciesla 2015-07-23 13:55:22 UTC
Git done (by process-git-requests).

Comment 19 Fedora Update System 2015-08-05 16:41:56 UTC
python-defusedxml-0.4.1-4.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4.1-4.el7

Comment 20 Fedora Update System 2015-08-05 16:44:28 UTC
python-defusedxml-0.4.1-4.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4.1-4.fc21

Comment 21 Fedora Update System 2015-08-05 16:46:09 UTC
python-defusedxml-0.4.1-4.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4.1-4.fc22

Comment 22 Fedora Update System 2015-08-05 16:46:56 UTC
python-defusedxml-0.4.1-4.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4.1-4.fc23

Comment 23 Fedora Update System 2015-08-13 20:19:41 UTC
python-defusedxml-0.4.1-4.el7 has been pushed to the Fedora EPEL 7 stable repository.

Comment 24 Fedora Update System 2015-08-15 02:15:20 UTC
python-defusedxml-0.4.1-4.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2015-08-27 18:29:23 UTC
python-defusedxml-0.4.1-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2015-08-27 23:49:30 UTC
python-defusedxml-0.4.1-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.