[Git][debian-gis-team/owslib][master] 3 commits: Add upstream patch to fix CVE-2023-27476. (closes: #1034182)
Bas Couwenberg (@sebastic)
gitlab at salsa.debian.org
Tue Apr 18 06:06:06 BST 2023
Bas Couwenberg pushed to branch master at Debian GIS Project / owslib
Commits:
852425b1 by Bas Couwenberg at 2023-04-11T06:29:07+02:00
Add upstream patch to fix CVE-2023-27476. (closes: #1034182)
- - - - -
4950b702 by Bas Couwenberg at 2023-04-11T06:30:04+02:00
Add python3-lxml to build dependencies.
- - - - -
fab64244 by Bas Couwenberg at 2023-04-11T06:30:23+02:00
Set distribution to unstable.
- - - - -
4 changed files:
- debian/changelog
- debian/control
- debian/patches/series
- + debian/patches/use-only-lxml-for-XML-handling.patch
Changes:
=====================================
debian/changelog
=====================================
@@ -1,12 +1,15 @@
-owslib (0.27.2-3) UNRELEASED; urgency=medium
+owslib (0.27.2-3) unstable; urgency=medium
* Team upload.
* Add Rules-Requires-Root to control file.
* Add py3dist overrides for dataclasses.
* Fix 'Recommends' typo.
* Bump Standards-Version to 4.6.2, no changes.
+ * Add upstream patch to fix CVE-2023-27476.
+ (closes: #1034182)
+ * Add python3-lxml to build dependencies.
- -- Bas Couwenberg <sebastic at debian.org> Mon, 28 Nov 2022 19:03:18 +0100
+ -- Bas Couwenberg <sebastic at debian.org> Tue, 11 Apr 2023 06:30:11 +0200
owslib (0.27.2-2) unstable; urgency=medium
=====================================
debian/control
=====================================
@@ -8,6 +8,7 @@ Build-Depends: debhelper-compat (= 12),
dh-python,
python3-all,
python3-dateutil,
+ python3-lxml,
python3-pytest,
python3-requests,
python3-setuptools,
@@ -21,8 +22,7 @@ Rules-Requires-Root: no
Package: python3-owslib
Architecture: all
-Depends: python3-lxml,
- ${python3:Depends},
+Depends: ${python3:Depends},
${misc:Depends}
Recommends: python3-pyproj
Description: Client library for Open Geospatial (OGC) web services (Python 3)
=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
yaml-safe_load.patch
+use-only-lxml-for-XML-handling.patch
=====================================
debian/patches/use-only-lxml-for-XML-handling.patch
=====================================
@@ -0,0 +1,318 @@
+Description: use only lxml for XML handling
+ Fixes CVE-2023-27476
+Author: Tom Kralidis <tomkralidis at gmail.com>
+Origin: https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063
+Bug: https://github.com/geopython/OWSLib/pull/863
+Bug-Debian: https://bugs.debian.org/1034182
+
+--- a/.github/workflows/main.yml
++++ b/.github/workflows/main.yml
+@@ -8,9 +8,7 @@ jobs:
+ strategy:
+ matrix:
+ python-version: [3.6, 3.7, 3.8, 3.9]
+- lxml: [true, false]
+ env:
+- LXML: ${{ matrix.lxml }}
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ COVERALLS_SERVICE_NAME: github
+ steps:
+@@ -28,8 +26,6 @@ jobs:
+ pip3 install -e .
+ pip3 install -r requirements.txt
+ pip3 install -r requirements-dev.txt
+- echo "LXML => $LXML"
+- if [ "$LXML" == "true" ]; then pip install lxml; fi
+ - name: run tests ⚙️
+ run: python3 -m pytest
+ - name: run coveralls ⚙️
+--- a/docs/en/installation.rst
++++ b/docs/en/installation.rst
+@@ -4,7 +4,7 @@ Installation
+ Requirements
+ ------------
+
+-OWSLib requires a Python interpreter, as well as `ElementTree <https://docs.python.org/2/library/xml.etree.elementtree.html>`_ or `lxml <http://lxml.de>`_ for XML parsing.
++OWSLib requires a Python interpreter, as well as `lxml <https://lxml.de>`_ for XML parsing.
+
+ Install
+ -------
+--- a/etc/debian/control
++++ b/etc/debian/control
+@@ -9,5 +9,5 @@ Homepage: http://geopython.github.com/OW
+
+ Package: python-owslib
+ Architecture: all
+-Depends: ${misc:Depends}, debconf, python (>=2.7), python-lxml
++Depends: ${misc:Depends}, debconf, python (>=3), python-lxml
+ Description: OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service (hence OWS) interface standards, and their related content models.
+--- a/owslib/catalogue/csw2.py
++++ b/owslib/catalogue/csw2.py
+@@ -226,11 +226,6 @@ class CatalogueServiceWeb(object):
+ else:
+ # construct request
+ node0 = self._setrootelement('csw:GetRecords')
+- if etree.__name__ != 'lxml.etree': # apply nsmap manually
+- node0.set('xmlns:ows', namespaces['ows'])
+- node0.set('xmlns:gmd', namespaces['gmd'])
+- node0.set('xmlns:dif', namespaces['dif'])
+- node0.set('xmlns:fgdc', namespaces['fgdc'])
+ node0.set('outputSchema', outputschema)
+ node0.set('outputFormat', format)
+ node0.set('version', self.version)
+@@ -354,11 +349,6 @@ class CatalogueServiceWeb(object):
+ else:
+ # construct request
+ node0 = self._setrootelement('csw:GetRecords')
+- if etree.__name__ != 'lxml.etree': # apply nsmap manually
+- node0.set('xmlns:ows', namespaces['ows'])
+- node0.set('xmlns:gmd', namespaces['gmd'])
+- node0.set('xmlns:dif', namespaces['dif'])
+- node0.set('xmlns:fgdc', namespaces['fgdc'])
+ node0.set('outputSchema', outputschema)
+ node0.set('outputFormat', format)
+ node0.set('version', self.version)
+@@ -622,10 +612,7 @@ class CatalogueServiceWeb(object):
+ return el
+
+ def _setrootelement(self, el):
+- if etree.__name__ == 'lxml.etree': # apply nsmap
+- return etree.Element(util.nspath_eval(el, namespaces), nsmap=namespaces)
+- else:
+- return etree.Element(util.nspath_eval(el, namespaces))
++ return etree.Element(util.nspath_eval(el, namespaces), nsmap=namespaces)
+
+ def _setconstraint(self, parent, qtype=None, propertyname='csw:AnyText', keywords=[], bbox=None, cql=None,
+ identifier=None):
+--- a/owslib/catalogue/csw3.py
++++ b/owslib/catalogue/csw3.py
+@@ -242,11 +242,6 @@ class CatalogueServiceWeb(object):
+ else:
+ # construct request
+ node0 = self._setrootelement('csw30:GetRecords')
+- if etree.__name__ != 'lxml.etree': # apply nsmap manually
+- node0.set('xmlns:ows110', namespaces['ows110'])
+- node0.set('xmlns:gmd', namespaces['gmd'])
+- node0.set('xmlns:dif', namespaces['dif'])
+- node0.set('xmlns:fgdc', namespaces['fgdc'])
+ node0.set('outputSchema', outputschema)
+ node0.set('outputFormat', format)
+ node0.set('version', self.version)
+@@ -516,10 +511,7 @@ class CatalogueServiceWeb(object):
+ return el
+
+ def _setrootelement(self, el):
+- if etree.__name__ == 'lxml.etree': # apply nsmap
+- return etree.Element(util.nspath_eval(el, namespaces), nsmap=namespaces)
+- else:
+- return etree.Element(util.nspath_eval(el, namespaces))
++ return etree.Element(util.nspath_eval(el, namespaces), nsmap=namespaces)
+
+ def _setconstraint(self, parent, qtype=None, propertyname='csw30:AnyText', keywords=[], bbox=None, cql=None,
+ identifier=None):
+--- a/owslib/etree.py
++++ b/owslib/etree.py
+@@ -4,37 +4,33 @@
+ # Contact email: sgillies at frii.com
+ # =============================================================================
+
++
++from lxml import etree
++from lxml.etree import ParseError
++ElementType = etree._Element
++
+ from owslib.namespaces import Namespaces
+
+
+-def patch_well_known_namespaces(etree_module):
+- """Monkey patches the etree module to add some well-known namespaces."""
++def patch_well_known_namespaces():
++ """Monkey patches lxml.etree to add some well-known namespaces."""
+
+ ns = Namespaces()
+
+ try:
+- register_namespace = etree_module.register_namespace
++ register_namespace = etree.register_namespace
+ except AttributeError:
+- etree_module._namespace_map
++ etree._namespace_map
+
+ def register_namespace(prefix, uri):
+- etree_module._namespace_map[uri] = prefix
++ etree._namespace_map[uri] = prefix
+
+ for k, v in list(ns.get_namespaces().items()):
+ register_namespace(k, v)
+
++ etree.set_default_parser(
++ parser=etree.XMLParser(resolve_entities=False)
++ )
+
+-# try to find lxml or elementtree
+-try:
+- from lxml import etree
+- from lxml.etree import ParseError
+- ElementType = etree._Element
+-except ImportError:
+- import xml.etree.ElementTree as etree
+- ElementType = etree.Element
+- try:
+- from xml.etree.ElementTree import ParseError
+- except ImportError:
+- from xml.parsers.expat import ExpatError as ParseError
+
+-patch_well_known_namespaces(etree)
++patch_well_known_namespaces()
+--- a/owslib/feature/schema.py
++++ b/owslib/feature/schema.py
+@@ -13,7 +13,7 @@ import sys
+ from urllib.parse import urlencode, parse_qsl
+ from owslib.etree import etree
+ from owslib.namespaces import Namespaces
+-from owslib.util import which_etree, findall, Authentication, openURL
++from owslib.util import findall, Authentication, openURL
+
+ MYNS = Namespaces()
+ XS_NAMESPACE = MYNS.get_namespace("xs")
+--- a/owslib/util.py
++++ b/owslib/util.py
+@@ -277,11 +277,8 @@ def nspath_eval(xpath, namespaces):
+
+ def cleanup_namespaces(element):
+ """ Remove unused namespaces from an element """
+- if etree.__name__ == 'lxml.etree':
+- etree.cleanup_namespaces(element)
+- return element
+- else:
+- return etree.fromstring(etree.tostring(element))
++ etree.cleanup_namespaces(element)
++ return element
+
+
+ def add_namespaces(root, ns_keys):
+@@ -292,35 +289,34 @@ def add_namespaces(root, ns_keys):
+
+ ns_keys = [(x, namespaces.get_namespace(x)) for x in ns_keys]
+
+- if etree.__name__ != 'lxml.etree':
+- # We can just add more namespaces when not using lxml.
+- # We can't re-add an existing namespaces. Get a list of current
+- # namespaces in use
+- existing_namespaces = set()
+- for elem in root.iter():
+- if elem.tag[0] == "{":
+- uri, tag = elem.tag[1:].split("}")
+- existing_namespaces.add(namespaces.get_namespace_from_url(uri))
+- for key, link in ns_keys:
+- if link is not None and key not in existing_namespaces:
+- root.set("xmlns:%s" % key, link)
+- return root
+- else:
+- # lxml does not support setting xmlns attributes
+- # Update the elements nsmap with new namespaces
+- new_map = root.nsmap
+- for key, link in ns_keys:
+- if link is not None:
+- new_map[key] = link
+- # Recreate the root element with updated nsmap
+- new_root = etree.Element(root.tag, nsmap=new_map)
+- # Carry over attributes
+- for a, v in list(root.items()):
+- new_root.set(a, v)
+- # Carry over children
+- for child in root:
+- new_root.append(deepcopy(child))
+- return new_root
++ # lxml does not support setting xmlns attributes
++ # Update the elements nsmap with new namespaces
++ new_map = root.nsmap
++ for key, link in ns_keys:
++ if link is not None:
++ new_map[key] = link
++ # Recreate the root element with updated nsmap
++ new_root = etree.Element(root.tag, nsmap=new_map)
++ # Carry over attributes
++ for a, v in list(root.items()):
++ new_root.set(a, v)
++ # Carry over children
++ for child in root:
++ new_root.append(deepcopy(child))
++ return new_root
++
++ # We can just add more namespaces when not using lxml.
++ # We can't re-add an existing namespaces. Get a list of current
++ # namespaces in use
++ existing_namespaces = set()
++ for elem in root.iter():
++ if elem.tag[0] == "{":
++ uri, tag = elem.tag[1:].split("}")
++ existing_namespaces.add(namespaces.get_namespace_from_url(uri))
++ for key, link in ns_keys:
++ if link is not None and key not in existing_namespaces:
++ root.set("xmlns:%s" % key, link)
++ return root
+
+
+ def getXMLInteger(elem, tag):
+@@ -495,21 +491,14 @@ def element_to_string(element, encoding=
+ if encoding is None:
+ encoding = "ISO-8859-1"
+
+- if etree.__name__ == 'lxml.etree':
+- if xml_declaration:
+- if encoding in ['unicode', 'utf-8']:
+- output = '<?xml version="1.0" encoding="utf-8" standalone="no"?>\n{}'.format(
+- etree.tostring(element, encoding='unicode'))
+- else:
+- output = etree.tostring(element, encoding=encoding, xml_declaration=True)
++ if xml_declaration:
++ if encoding in ['unicode', 'utf-8']:
++ output = '<?xml version="1.0" encoding="utf-8" standalone="no"?>\n{}'.format(
++ etree.tostring(element, encoding='unicode'))
+ else:
+- output = etree.tostring(element)
++ output = etree.tostring(element, encoding=encoding, xml_declaration=True)
+ else:
+- if xml_declaration:
+- output = '<?xml version="1.0" encoding="{}" standalone="no"?>\n{}'.format(
+- encoding, etree.tostring(element, encoding=encoding))
+- else:
+- output = etree.tostring(element)
++ output = etree.tostring(element)
+
+ return output
+
+@@ -753,21 +742,6 @@ log = logging.getLogger('owslib')
+ log.addHandler(NullHandler())
+
+
+-def which_etree():
+- """decipher which etree library is being used by OWSLib"""
+-
+- which_etree = None
+-
+- if 'lxml' in etree.__file__:
+- which_etree = 'lxml.etree'
+- elif 'xml/etree' in etree.__file__:
+- which_etree = 'xml.etree'
+- elif 'elementree' in etree.__file__:
+- which_etree = 'elementtree.ElementTree'
+-
+- return which_etree
+-
+-
+ def findall(root, xpath, attribute_name=None, attribute_value=None):
+ """Find elements recursively from given root element based on
+ xpath and possibly given attribute
+--- a/requirements.txt
++++ b/requirements.txt
+@@ -1,5 +1,6 @@
++dataclasses; python_version < '3.7'
++lxml
+ python-dateutil>=1.5
+ pytz
+-requests>=1.0
+ pyyaml
+-dataclasses; python_version < '3.7'
++requests>=1.0
View it on GitLab: https://salsa.debian.org/debian-gis-team/owslib/-/compare/159bb7e8adf1ee094fc59dc691c968b605c664c3...fab64244396c47f37658635fd2ff7da05fb2403b
--
View it on GitLab: https://salsa.debian.org/debian-gis-team/owslib/-/compare/159bb7e8adf1ee094fc59dc691c968b605c664c3...fab64244396c47f37658635fd2ff7da05fb2403b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20230418/15b5fb13/attachment-0001.htm>
More information about the Pkg-grass-devel
mailing list