diff --git a/cpanspec.yml b/cpanspec.yml new file mode 100644 index 0000000..860437c --- /dev/null +++ b/cpanspec.yml @@ -0,0 +1,36 @@ +--- +#description_paragraphs: 3 +#description: |- +# override description from CPAN +#summary: override summary from CPAN +#no_testing: broken upstream +#sources: +# - source1 +# - source2 +patches: + urandom.patch: -p1 PATCH-FIX-OPENSUSE https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036 +# bar.patch: +# baz.patch: PATCH-FIX-OPENSUSE +preamble: |- + BuildRequires: perl(Crypt::URandom) + Requires: perl(Crypt::URandom) +#post_prep: |- +# hunspell=`pkg-config --libs hunspell | sed -e 's,-l,,; s, *,,g'` +# sed -i -e "s,hunspell-X,$hunspell," t/00-prereq.t Makefile.PL +#post_build: |- +# rm unused.files +#post_install: |- +# sed on %{name}.files +#license: SUSE-NonFree +#skip_noarch: 1 +#custom_build: |- +#./Build build flags=%{?_smp_mflags} --myflag +#custom_test: |- +#startserver && make test +#ignore_requires: Bizarre::Module +#skip_doc: regexp_to_skip_for_doc.* +#add_doc: files to add to docs +#misc: |- +#anything else to be added to spec file +#follows directly after %files section, so it can contain new blocks or also +#changes to %files section diff --git a/perl-Net-Dropbox-API.changes b/perl-Net-Dropbox-API.changes index 7bc0bcc..9da3ac1 100644 --- a/perl-Net-Dropbox-API.changes +++ b/perl-Net-Dropbox-API.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed May 28 14:58:49 UTC 2025 - Tina Müller + +- Add urandom.patch for secure tokens + https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036 bsc#1240884 + Add cpanspec.yml file used by cpanspec for autogenerating the spec. + ------------------------------------------------------------------- Thu Feb 6 22:27:01 UTC 2025 - Tina Müller diff --git a/perl-Net-Dropbox-API.spec b/perl-Net-Dropbox-API.spec index 31d4206..cd0da42 100644 --- a/perl-Net-Dropbox-API.spec +++ b/perl-Net-Dropbox-API.spec @@ -26,6 +26,9 @@ License: Artistic-1.0 OR GPL-1.0-or-later Summary: Dropbox API interface URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/N/NO/NORBU/%{cpan_name}-%{cpan_version}.tar.gz +Source1: cpanspec.yml +# PATCH-FIX-OPENSUSE https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036 +Patch0: urandom.patch BuildArch: noarch BuildRequires: perl BuildRequires: perl-macros @@ -49,12 +52,16 @@ Requires: perl(common::sense) Provides: perl(Net::Dropbox::API) = %{version} %undefine __perllib_provides %{perl_requires} +# MANUAL BEGIN +BuildRequires: perl(Crypt::URandom) +Requires: perl(Crypt::URandom) +# MANUAL END %description A dropbox API interface %prep -%autosetup -n %{cpan_name}-%{cpan_version} -p1 +%autosetup -n %{cpan_name}-%{cpan_version} -p1 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -path "*/scripts/*" ! -name "configure" -print0 | xargs -0 chmod 644 diff --git a/urandom.patch b/urandom.patch new file mode 100644 index 0000000..33ad7ca --- /dev/null +++ b/urandom.patch @@ -0,0 +1,60 @@ +commit e3a854a4305004b1b930dcde16e609ebccc9d78b +Author: Tina Müller +Date: Wed May 28 16:21:08 2025 +0200 + + Use Crypt::URandom for generation of nonce + + See https://nvd.nist.gov/vuln/detail/CVE-2024-58036 + + The result is a string of hex digits with the same length as before, 16. + +diff --git a/Makefile.PL b/Makefile.PL +index 0865ac2..301aac2 100644 +--- a/Makefile.PL ++++ b/Makefile.PL +@@ -12,7 +12,7 @@ requires 'JSON'; + requires 'Mouse'; + requires 'Encode'; + requires 'Net::OAuth'; +-requires 'Data::Random'; ++requires 'Crypt::URandom'; + requires 'common::sense'; + requires 'File::Basename'; + requires 'LWP::UserAgent'; +diff --git a/lib/Net/Dropbox/API.pm b/lib/Net/Dropbox/API.pm +index bcdec21..3d53799 100644 +--- a/lib/Net/Dropbox/API.pm ++++ b/lib/Net/Dropbox/API.pm +@@ -8,7 +8,7 @@ use Net::OAuth; + use LWP::UserAgent; + use URI; + use HTTP::Request::Common; +-use Data::Random qw(rand_chars); ++use Crypt::URandom qw(urandom); + use Encode; + + =head1 NAME +@@ -382,7 +382,7 @@ Generate a different nonce for every request. + + =cut + +-sub nonce { join( '', rand_chars( size => 16, set => 'alphanumeric' )); } ++sub nonce { unpack("H*", urandom(8)); } + + sub _talk { + my $self = shift; +diff --git a/t/nonce.t b/t/nonce.t +new file mode 100644 +index 0000000..7be9762 +--- /dev/null ++++ b/t/nonce.t +@@ -0,0 +1,9 @@ ++use strict; ++use warnings; ++use Test::More; ++use Net::Dropbox::API; ++ ++my $nonce = Net::Dropbox::API::nonce(); ++like $nonce, qr{^[a-zA-Z0-9]{16}\z}, 'expected nonce content'; ++ ++done_testing;