From e8272210f692d1f88184235d3b3e028cdf77626d5498a3adfa006a8d23f9bbd6 Mon Sep 17 00:00:00 2001
From: Oliver Kurz <okurz@suse.com>
Date: Wed, 28 May 2025 21:38:17 +0000
Subject: [PATCH] Accepting request 1280950 from
 home:tinita:branches:devel:languages:perl

- Add urandom.patch for secure tokens
  https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036 bsc#1240884

OBS-URL: https://build.opensuse.org/request/show/1280950
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-Net-Dropbox-API?expand=0&rev=14
---
 cpanspec.yml                 | 36 ++++++++++++++++++++++
 perl-Net-Dropbox-API.changes |  6 ++++
 perl-Net-Dropbox-API.spec    |  9 +++++-
 urandom.patch                | 60 ++++++++++++++++++++++++++++++++++++
 4 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 cpanspec.yml
 create mode 100644 urandom.patch

diff --git a/cpanspec.yml b/cpanspec.yml
new file mode 100644
index 0000000..860437c
--- /dev/null
+++ b/cpanspec.yml
@@ -0,0 +1,36 @@
+---
+#description_paragraphs: 3
+#description: |-
+#  override description from CPAN
+#summary: override summary from CPAN
+#no_testing: broken upstream
+#sources:
+#  - source1
+#  - source2
+patches:
+  urandom.patch: -p1 PATCH-FIX-OPENSUSE https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036
+#  bar.patch:
+#  baz.patch: PATCH-FIX-OPENSUSE
+preamble: |-
+  BuildRequires:  perl(Crypt::URandom)
+  Requires:       perl(Crypt::URandom)
+#post_prep: |-
+# hunspell=`pkg-config --libs hunspell | sed -e 's,-l,,; s,  *,,g'`
+# sed -i -e "s,hunspell-X,$hunspell," t/00-prereq.t Makefile.PL 
+#post_build: |-
+# rm unused.files
+#post_install: |-
+# sed on %{name}.files
+#license: SUSE-NonFree
+#skip_noarch: 1
+#custom_build: |-
+#./Build build flags=%{?_smp_mflags} --myflag
+#custom_test: |-
+#startserver && make test
+#ignore_requires: Bizarre::Module
+#skip_doc: regexp_to_skip_for_doc.*
+#add_doc: files to add to docs
+#misc: |-
+#anything else to be added to spec file
+#follows directly after %files section, so it can contain new blocks or also
+#changes to %files section
diff --git a/perl-Net-Dropbox-API.changes b/perl-Net-Dropbox-API.changes
index 7bc0bcc..249c996 100644
--- a/perl-Net-Dropbox-API.changes
+++ b/perl-Net-Dropbox-API.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed May 28 14:58:49 UTC 2025 - Tina Müller <tina.mueller@suse.com>
+
+- Add urandom.patch for secure tokens
+  https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036 bsc#1240884
+
 -------------------------------------------------------------------
 Thu Feb  6 22:27:01 UTC 2025 - Tina Müller <tina.mueller@suse.com>
 
diff --git a/perl-Net-Dropbox-API.spec b/perl-Net-Dropbox-API.spec
index 31d4206..cd0da42 100644
--- a/perl-Net-Dropbox-API.spec
+++ b/perl-Net-Dropbox-API.spec
@@ -26,6 +26,9 @@ License:        Artistic-1.0 OR GPL-1.0-or-later
 Summary:        Dropbox API interface
 URL:            https://metacpan.org/release/%{cpan_name}
 Source0:        https://cpan.metacpan.org/authors/id/N/NO/NORBU/%{cpan_name}-%{cpan_version}.tar.gz
+Source1:        cpanspec.yml
+# PATCH-FIX-OPENSUSE https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036
+Patch0:         urandom.patch
 BuildArch:      noarch
 BuildRequires:  perl
 BuildRequires:  perl-macros
@@ -49,12 +52,16 @@ Requires:       perl(common::sense)
 Provides:       perl(Net::Dropbox::API) = %{version}
 %undefine       __perllib_provides
 %{perl_requires}
+# MANUAL BEGIN
+BuildRequires:  perl(Crypt::URandom)
+Requires:       perl(Crypt::URandom)
+# MANUAL END
 
 %description
 A dropbox API interface
 
 %prep
-%autosetup  -n %{cpan_name}-%{cpan_version} -p1
+%autosetup -n %{cpan_name}-%{cpan_version} -p1
 
 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -path "*/scripts/*" ! -name "configure" -print0 | xargs -0 chmod 644
 
diff --git a/urandom.patch b/urandom.patch
new file mode 100644
index 0000000..33ad7ca
--- /dev/null
+++ b/urandom.patch
@@ -0,0 +1,60 @@
+commit e3a854a4305004b1b930dcde16e609ebccc9d78b
+Author: Tina Müller <cpan2@tinita.de>
+Date:   Wed May 28 16:21:08 2025 +0200
+
+    Use Crypt::URandom for generation of nonce
+    
+    See https://nvd.nist.gov/vuln/detail/CVE-2024-58036
+    
+    The result is a string of hex digits with the same length as before, 16.
+
+diff --git a/Makefile.PL b/Makefile.PL
+index 0865ac2..301aac2 100644
+--- a/Makefile.PL
++++ b/Makefile.PL
+@@ -12,7 +12,7 @@ requires 'JSON';
+ requires 'Mouse';
+ requires 'Encode';
+ requires 'Net::OAuth';
+-requires 'Data::Random';
++requires 'Crypt::URandom';
+ requires 'common::sense';
+ requires 'File::Basename';
+ requires 'LWP::UserAgent';
+diff --git a/lib/Net/Dropbox/API.pm b/lib/Net/Dropbox/API.pm
+index bcdec21..3d53799 100644
+--- a/lib/Net/Dropbox/API.pm
++++ b/lib/Net/Dropbox/API.pm
+@@ -8,7 +8,7 @@ use Net::OAuth;
+ use LWP::UserAgent;
+ use URI;
+ use HTTP::Request::Common;
+-use Data::Random qw(rand_chars);
++use Crypt::URandom qw(urandom);
+ use Encode;
+ 
+ =head1 NAME
+@@ -382,7 +382,7 @@ Generate a different nonce for every request.
+ 
+ =cut
+ 
+-sub nonce { join( '', rand_chars( size => 16, set => 'alphanumeric' )); }
++sub nonce { unpack("H*", urandom(8)); }
+ 
+ sub _talk {
+     my $self    = shift;
+diff --git a/t/nonce.t b/t/nonce.t
+new file mode 100644
+index 0000000..7be9762
+--- /dev/null
++++ b/t/nonce.t
+@@ -0,0 +1,9 @@
++use strict;
++use warnings;
++use Test::More;
++use Net::Dropbox::API;
++
++my $nonce = Net::Dropbox::API::nonce();
++like $nonce, qr{^[a-zA-Z0-9]{16}\z}, 'expected nonce content';
++
++done_testing;