Bug 927883 - Review Request: python-defusedxml - XML bomb protection for Python stdlib modules
Summary: Review Request: python-defusedxml - XML bomb protection for Python stdlib mod...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bohuslav "Slavek" Kabrda
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 923738
TreeView+ depends on / blocked
 
Reported: 2013-03-26 12:43 UTC by Miro Hrončok
Modified: 2015-08-27 23:49 UTC (History)
4 users (show)

Fixed In Version: 0.4.1-4.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-05 23:10:33 UTC
bkabrda: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)
python-defusedxml-0.4.1-entity_loop.patch (2.38 KB, patch)
2015-07-22 12:04 UTC, Avram Lubkin
no flags Details | Diff
python-defusedxml-0.4.1-format_strings.patch (2.21 KB, patch)
2015-07-22 12:05 UTC, Avram Lubkin
no flags Details | Diff

Description Miro Hrončok 2013-03-26 12:43:44 UTC
Spec URL: https://raw.github.com/hroncok/SPECS/master/python-defusedxml.spec
SRPM URL: https://github.com/downloads/hroncok/SPECS/python-defusedxml-0.4-1.fc18.src.rpm

Description:

The defusedxml package contains several Python-only workarounds and fixes for
denial of service and other vulnerabilities in Python's XML libraries. In order
to benefit from the protection you just have to import and use the listed
functions / classes from the right defusedxml module instead of the original
module.

Fedora Account System Username: churchyard

Comment 1 Bohuslav "Slavek" Kabrda 2013-03-26 15:58:13 UTC
I'll review this.

Comment 2 Bohuslav "Slavek" Kabrda 2013-03-26 16:24:37 UTC
I can't find anything wrong with this package. Rpmlint is silent (except of some typical "spelling-errors") and the package follows all guidelines.

APPROVED

Comment 3 Miro Hrončok 2013-03-26 16:47:25 UTC
New Package SCM Request
=======================
Package Name: python-defusedxml
Short Description: XML bomb protection for Python stdlib modules
Owners: churchyard bkabrda
Branches: f17 f18 f19

Comment 4 Gwyn Ciesla 2013-03-26 16:59:34 UTC
Git done (by process-git-requests).

Comment 5 Miro Hrončok 2013-03-26 17:52:34 UTC
Package Change Request
======================
Package Name: python-defusedxml
New Branches: el6
Owners: churchyard bkabrda

Comment 6 Miro Hrončok 2013-03-26 17:53:09 UTC
Sorry, I've forgot the EPEL.

Comment 7 Gwyn Ciesla 2013-03-26 18:02:49 UTC
Git done (by process-git-requests).

Comment 8 Fedora Update System 2013-03-26 18:25:58 UTC
python-defusedxml-0.4-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4-1.fc18

Comment 9 Fedora Update System 2013-03-26 18:37:04 UTC
python-defusedxml-0.4-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4-1.el6

Comment 10 Fedora Update System 2013-03-27 20:30:20 UTC
python-defusedxml-0.4-1.fc18 has been pushed to the Fedora 18 testing repository.

Comment 11 Fedora Update System 2013-04-05 23:10:35 UTC
python-defusedxml-0.4-1.fc17 has been pushed to the Fedora 17 stable repository.

Comment 12 Fedora Update System 2013-04-05 23:22:40 UTC
python-defusedxml-0.4-1.fc18 has been pushed to the Fedora 18 stable repository.

Comment 13 Fedora Update System 2013-04-13 00:13:12 UTC
python-defusedxml-0.4-1.el6 has been pushed to the Fedora EPEL 6 stable repository.

Comment 14 Avram Lubkin 2015-07-22 12:01:16 UTC
Looks like python-defusedxml was never added to EPEL 7. Can we get that added?


Also, I'm attaching a couple patches:


python-defusedxml-0.4.1-entity_loop.patch

It looks like in the mass rebuilds, --nocheck is used, so the tests don't actually run, but when I rebuild manually, I noticed a few of the tests fail with:

lxml.etree.XMLSyntaxError: Detected an entity reference loop, line 1, column 4

This is due to a security patch in libxml2. It's legitimate, but the tests are expecting the wrong exception. I emailed the maintainer about it, but haven't heard anything yet. This patch modifies the tests so they check for what is expected.


python-defusedxml-0.4.1-format_strings.patch

This is from a pull request in the defusedxml repo. It fixes some string formatting syntax so it work in Python 2.6 as well as 2.7+
https://bitbucket.org/tiran/defusedxml/pull-request/1/make-format-strings-python26-compatible/diff

Comment 15 Avram Lubkin 2015-07-22 12:04:14 UTC
Created attachment 1054818 [details]
python-defusedxml-0.4.1-entity_loop.patch

Comment 16 Avram Lubkin 2015-07-22 12:05:03 UTC
Created attachment 1054819 [details]
python-defusedxml-0.4.1-format_strings.patch

Comment 17 Miro Hrončok 2015-07-22 14:01:55 UTC
Package Change Request
======================
Package Name: python-defusedxml
New Branches: epel7
Owners: churchyard bkabrda

Comment 18 Gwyn Ciesla 2015-07-23 13:55:22 UTC
Git done (by process-git-requests).

Comment 19 Fedora Update System 2015-08-05 16:41:56 UTC
python-defusedxml-0.4.1-4.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4.1-4.el7

Comment 20 Fedora Update System 2015-08-05 16:44:28 UTC
python-defusedxml-0.4.1-4.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4.1-4.fc21

Comment 21 Fedora Update System 2015-08-05 16:46:09 UTC
python-defusedxml-0.4.1-4.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4.1-4.fc22

Comment 22 Fedora Update System 2015-08-05 16:46:56 UTC
python-defusedxml-0.4.1-4.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/python-defusedxml-0.4.1-4.fc23

Comment 23 Fedora Update System 2015-08-13 20:19:41 UTC
python-defusedxml-0.4.1-4.el7 has been pushed to the Fedora EPEL 7 stable repository.

Comment 24 Fedora Update System 2015-08-15 02:15:20 UTC
python-defusedxml-0.4.1-4.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2015-08-27 18:29:23 UTC
python-defusedxml-0.4.1-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2015-08-27 23:49:30 UTC
python-defusedxml-0.4.1-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.