Version in base suite: 0.23.0-1 Base version: owslib_0.23.0-1 Target version: owslib_0.23.0-1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/owslib/owslib_0.23.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/owslib/owslib_0.23.0-1+deb11u1.dsc changelog | 8 + patches/CVE-2023-27476.patch | 259 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 268 insertions(+) diff -Nru owslib-0.23.0/debian/changelog owslib-0.23.0/debian/changelog --- owslib-0.23.0/debian/changelog 2021-02-06 05:56:56.000000000 +0000 +++ owslib-0.23.0/debian/changelog 2023-06-13 03:24:20.000000000 +0000 @@ -1,3 +1,11 @@ +owslib (0.23.0-1+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2023-27476: arbitrary file reads from malformed XML payload + (Closes: #1034182) + + -- Aron Xu Tue, 13 Jun 2023 11:24:20 +0800 + owslib (0.23.0-1) unstable; urgency=medium * Team upload. diff -Nru owslib-0.23.0/debian/patches/CVE-2023-27476.patch owslib-0.23.0/debian/patches/CVE-2023-27476.patch --- owslib-0.23.0/debian/patches/CVE-2023-27476.patch 1970-01-01 00:00:00.000000000 +0000 +++ owslib-0.23.0/debian/patches/CVE-2023-27476.patch 2023-06-13 03:24:20.000000000 +0000 @@ -0,0 +1,259 @@ +Origin: https://github.com/geopython/OWSLib/commit/b0c687544ddc213d8dcd4a056139b63451938b21 +Reviewed-by: Aron Xu + +From b0c687544ddc213d8dcd4a056139b63451938b21 Mon Sep 17 00:00:00 2001 +From: Tom Kralidis +Date: Fri, 24 Feb 2023 10:15:35 -0500 +Subject: [PATCH] use only lxml for XML handling (#863) + +--- + owslib/catalogue/csw.py | 15 +----- + owslib/etree.py | 32 ++++++------- + owslib/feature/schema.py | 2 +- + owslib/util.py | 98 ++++++++++++++------------------------ + 4 files changed, 52 insertions(+), 95 deletions(-) + +diff --git a/owslib/csw.py b/owslib/csw.py +index 3396336..690e578 100644 +--- a/owslib/csw.py ++++ b/owslib/csw.py +@@ -226,11 +226,6 @@ class CatalogueServiceWeb(object): + else: + # construct request + node0 = self._setrootelement('csw:GetRecords') +- if etree.__name__ != 'lxml.etree': # apply nsmap manually +- node0.set('xmlns:ows', namespaces['ows']) +- node0.set('xmlns:gmd', namespaces['gmd']) +- node0.set('xmlns:dif', namespaces['dif']) +- node0.set('xmlns:fgdc', namespaces['fgdc']) + node0.set('outputSchema', outputschema) + node0.set('outputFormat', format) + node0.set('version', self.version) +@@ -354,11 +349,6 @@ class CatalogueServiceWeb(object): + else: + # construct request + node0 = self._setrootelement('csw:GetRecords') +- if etree.__name__ != 'lxml.etree': # apply nsmap manually +- node0.set('xmlns:ows', namespaces['ows']) +- node0.set('xmlns:gmd', namespaces['gmd']) +- node0.set('xmlns:dif', namespaces['dif']) +- node0.set('xmlns:fgdc', namespaces['fgdc']) + node0.set('outputSchema', outputschema) + node0.set('outputFormat', format) + node0.set('version', self.version) +@@ -622,10 +612,7 @@ class CatalogueServiceWeb(object): + return el + + def _setrootelement(self, el): +- if etree.__name__ == 'lxml.etree': # apply nsmap +- return etree.Element(util.nspath_eval(el, namespaces), nsmap=namespaces) +- else: +- return etree.Element(util.nspath_eval(el, namespaces)) ++ return etree.Element(util.nspath_eval(el, namespaces), nsmap=namespaces) + + def _setconstraint(self, parent, qtype=None, propertyname='csw:AnyText', keywords=[], bbox=None, cql=None, + identifier=None): +diff --git a/owslib/etree.py b/owslib/etree.py +index 590989c..71dbaa0 100644 +--- a/owslib/etree.py ++++ b/owslib/etree.py +@@ -4,37 +4,33 @@ + # Contact email: sgillies@frii.com + # ============================================================================= + ++ ++from lxml import etree ++from lxml.etree import ParseError ++ElementType = etree._Element ++ + from owslib.namespaces import Namespaces + + +-def patch_well_known_namespaces(etree_module): +- """Monkey patches the etree module to add some well-known namespaces.""" ++def patch_well_known_namespaces(): ++ """Monkey patches lxml.etree to add some well-known namespaces.""" + + ns = Namespaces() + + try: +- register_namespace = etree_module.register_namespace ++ register_namespace = etree.register_namespace + except AttributeError: +- etree_module._namespace_map ++ etree._namespace_map + + def register_namespace(prefix, uri): +- etree_module._namespace_map[uri] = prefix ++ etree._namespace_map[uri] = prefix + + for k, v in list(ns.get_namespaces().items()): + register_namespace(k, v) + ++ etree.set_default_parser( ++ parser=etree.XMLParser(resolve_entities=False) ++ ) + +-# try to find lxml or elementtree +-try: +- from lxml import etree +- from lxml.etree import ParseError +- ElementType = etree._Element +-except ImportError: +- import xml.etree.ElementTree as etree +- ElementType = etree.Element +- try: +- from xml.etree.ElementTree import ParseError +- except ImportError: +- from xml.parsers.expat import ExpatError as ParseError + +-patch_well_known_namespaces(etree) ++patch_well_known_namespaces() +diff --git a/owslib/feature/schema.py b/owslib/feature/schema.py +index f2b9299..663eed3 100644 +--- a/owslib/feature/schema.py ++++ b/owslib/feature/schema.py +@@ -13,7 +13,7 @@ import sys + from urllib.parse import urlencode, parse_qsl + from owslib.etree import etree + from owslib.namespaces import Namespaces +-from owslib.util import which_etree, findall, Authentication, openURL ++from owslib.util import findall, Authentication, openURL + + MYNS = Namespaces() + XS_NAMESPACE = MYNS.get_namespace("xs") +diff --git a/owslib/util.py b/owslib/util.py +index bcd5e6e..68551f3 100644 +--- a/owslib/util.py ++++ b/owslib/util.py +@@ -277,11 +277,8 @@ def nspath_eval(xpath, namespaces): + + def cleanup_namespaces(element): + """ Remove unused namespaces from an element """ +- if etree.__name__ == 'lxml.etree': +- etree.cleanup_namespaces(element) +- return element +- else: +- return etree.fromstring(etree.tostring(element)) ++ etree.cleanup_namespaces(element) ++ return element + + + def add_namespaces(root, ns_keys): +@@ -292,35 +289,34 @@ def add_namespaces(root, ns_keys): + + ns_keys = [(x, namespaces.get_namespace(x)) for x in ns_keys] + +- if etree.__name__ != 'lxml.etree': +- # We can just add more namespaces when not using lxml. +- # We can't re-add an existing namespaces. Get a list of current +- # namespaces in use +- existing_namespaces = set() +- for elem in root.iter(): +- if elem.tag[0] == "{": +- uri, tag = elem.tag[1:].split("}") +- existing_namespaces.add(namespaces.get_namespace_from_url(uri)) +- for key, link in ns_keys: +- if link is not None and key not in existing_namespaces: +- root.set("xmlns:%s" % key, link) +- return root +- else: +- # lxml does not support setting xmlns attributes +- # Update the elements nsmap with new namespaces +- new_map = root.nsmap +- for key, link in ns_keys: +- if link is not None: +- new_map[key] = link +- # Recreate the root element with updated nsmap +- new_root = etree.Element(root.tag, nsmap=new_map) +- # Carry over attributes +- for a, v in list(root.items()): +- new_root.set(a, v) +- # Carry over children +- for child in root: +- new_root.append(deepcopy(child)) +- return new_root ++ # lxml does not support setting xmlns attributes ++ # Update the elements nsmap with new namespaces ++ new_map = root.nsmap ++ for key, link in ns_keys: ++ if link is not None: ++ new_map[key] = link ++ # Recreate the root element with updated nsmap ++ new_root = etree.Element(root.tag, nsmap=new_map) ++ # Carry over attributes ++ for a, v in list(root.items()): ++ new_root.set(a, v) ++ # Carry over children ++ for child in root: ++ new_root.append(deepcopy(child)) ++ return new_root ++ ++ # We can just add more namespaces when not using lxml. ++ # We can't re-add an existing namespaces. Get a list of current ++ # namespaces in use ++ existing_namespaces = set() ++ for elem in root.iter(): ++ if elem.tag[0] == "{": ++ uri, tag = elem.tag[1:].split("}") ++ existing_namespaces.add(namespaces.get_namespace_from_url(uri)) ++ for key, link in ns_keys: ++ if link is not None and key not in existing_namespaces: ++ root.set("xmlns:%s" % key, link) ++ return root + + + def getXMLInteger(elem, tag): +@@ -519,21 +515,14 @@ def element_to_string(element, encoding=None, xml_declaration=False): + if encoding is None: + encoding = "ISO-8859-1" + +- if etree.__name__ == 'lxml.etree': +- if xml_declaration: +- if encoding in ['unicode', 'utf-8']: +- output = '\n{}'.format( +- etree.tostring(element, encoding='unicode')) +- else: +- output = etree.tostring(element, encoding=encoding, xml_declaration=True) ++ if xml_declaration: ++ if encoding in ['unicode', 'utf-8']: ++ output = '\n{}'.format( ++ etree.tostring(element, encoding='unicode')) + else: +- output = etree.tostring(element) ++ output = etree.tostring(element, encoding=encoding, xml_declaration=True) + else: +- if xml_declaration: +- output = '\n{}'.format( +- encoding, etree.tostring(element, encoding=encoding)) +- else: +- output = etree.tostring(element) ++ output = etree.tostring(element) + + return output + +@@ -777,21 +766,6 @@ log = logging.getLogger('owslib') + log.addHandler(NullHandler()) + + +-def which_etree(): +- """decipher which etree library is being used by OWSLib""" +- +- which_etree = None +- +- if 'lxml' in etree.__file__: +- which_etree = 'lxml.etree' +- elif 'xml/etree' in etree.__file__: +- which_etree = 'xml.etree' +- elif 'elementree' in etree.__file__: +- which_etree = 'elementtree.ElementTree' +- +- return which_etree +- +- + def findall(root, xpath, attribute_name=None, attribute_value=None): + """Find elements recursively from given root element based on + xpath and possibly given attribute +-- +2.39.2 + diff -Nru owslib-0.23.0/debian/patches/series owslib-0.23.0/debian/patches/series --- owslib-0.23.0/debian/patches/series 2015-09-29 07:48:31.000000000 +0000 +++ owslib-0.23.0/debian/patches/series 2023-06-13 03:24:20.000000000 +0000 @@ -1 +1,2 @@ fixprivacybreaches +CVE-2023-27476.patch