Accepting request 1281384 from devel:languages:perl

OBS-URL: https://build.opensuse.org/request/show/1281384
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/perl-Net-Dropbox-API?expand=0&rev=4

cpanspec.yml

@@ -0,0 +1,36 @@
+---
+#description_paragraphs: 3
+#description: |-
+#  override description from CPAN
+#summary: override summary from CPAN
+#no_testing: broken upstream
+#sources:
+#  - source1
+#  - source2
+patches:
+  urandom.patch: -p1 PATCH-FIX-OPENSUSE https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036
+#  bar.patch:
+#  baz.patch: PATCH-FIX-OPENSUSE
+preamble: |-
+  BuildRequires:  perl(Crypt::URandom)
+  Requires:       perl(Crypt::URandom)
+#post_prep: |-
+# hunspell=`pkg-config --libs hunspell | sed -e 's,-l,,; s,  *,,g'`
+# sed -i -e "s,hunspell-X,$hunspell," t/00-prereq.t Makefile.PL 
+#post_build: |-
+# rm unused.files
+#post_install: |-
+# sed on %{name}.files
+#license: SUSE-NonFree
+#skip_noarch: 1
+#custom_build: |-
+#./Build build flags=%{?_smp_mflags} --myflag
+#custom_test: |-
+#startserver && make test
+#ignore_requires: Bizarre::Module
+#skip_doc: regexp_to_skip_for_doc.*
+#add_doc: files to add to docs
+#misc: |-
+#anything else to be added to spec file
+#follows directly after %files section, so it can contain new blocks or also
+#changes to %files section

perl-Net-Dropbox-API.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed May 28 14:58:49 UTC 2025 - Tina Müller <tina.mueller@suse.com>
+
+- Add urandom.patch for secure tokens
+  https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036 bsc#1240884
+  Add cpanspec.yml file used by cpanspec for autogenerating the spec.
+
+-------------------------------------------------------------------
+Thu Feb  6 22:27:01 UTC 2025 - Tina Müller <tina.mueller@suse.com>
+
+- Normalize CPAN version
+  See https://github.com/openSUSE/cpanspec/issues/47 for details
+
 -------------------------------------------------------------------
 Sat Mar 17 05:15:01 UTC 2018 - bwiedemann@suse.com
 

perl-Net-Dropbox-API.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package perl-Net-Dropbox-API
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,24 +12,28 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
-Name:           perl-Net-Dropbox-API
-Version:        1.9
-Release:        0
 %define cpan_name Net-Dropbox-API
-Summary:        A dropbox API interface
+Name:           perl-Net-Dropbox-API
-License:        Artistic-1.0 or GPL-1.0+
+Version:        1.900.0
-Group:          Development/Libraries/Perl
+Release:        0
-Url:            http://search.cpan.org/dist/Net-Dropbox-API/
+# 1.9 -> normalize -> 1.900.0
-Source:         http://www.cpan.org/authors/id/N/NO/NORBU/%{cpan_name}-%{version}.tar.gz
+%define cpan_version 1.9
+License:        Artistic-1.0 OR GPL-1.0-or-later
+Summary:        Dropbox API interface
+URL:            https://metacpan.org/release/%{cpan_name}
+Source0:        https://cpan.metacpan.org/authors/id/N/NO/NORBU/%{cpan_name}-%{cpan_version}.tar.gz
+Source1:        cpanspec.yml
+# PATCH-FIX-OPENSUSE https://github.com/norbu09/Net--Dropbox/pull/20 CVE-2024-58036
+Patch0:         urandom.patch
 BuildArch:      noarch
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  perl
 BuildRequires:  perl-macros
 BuildRequires:  perl(Data::Random)
+BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.36
 BuildRequires:  perl(HTTP::Request::Common)
 BuildRequires:  perl(JSON)
 BuildRequires:  perl(LWP::UserAgent)
@@ -45,21 +49,28 @@ Requires:       perl(Mouse)
 Requires:       perl(Net::OAuth)
 Requires:       perl(URI)
 Requires:       perl(common::sense)
+Provides:       perl(Net::Dropbox::API) = %{version}
+%undefine       __perllib_provides
 %{perl_requires}
+# MANUAL BEGIN
+BuildRequires:  perl(Crypt::URandom)
+Requires:       perl(Crypt::URandom)
+# MANUAL END
 
 %description
 A dropbox API interface
 
 %prep
-%setup -q -n %{cpan_name}-%{version}
+%autosetup -n %{cpan_name}-%{cpan_version} -p1
-find . -type f -print0 | xargs -0 chmod 644
+
+find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -path "*/scripts/*" ! -name "configure" -print0 | xargs -0 chmod 644
 
 %build
-PERL5LIB=. %{__perl} Makefile.PL INSTALLDIRS=vendor
+PERL_USE_UNSAFE_INC=1 perl Makefile.PL INSTALLDIRS=vendor
-%{__make} %{?_smp_mflags}
+%make_build
 
 %check
-%{__make} test
+make test
 
 %install
 %perl_make_install
@@ -67,7 +78,6 @@ PERL5LIB=. %{__perl} Makefile.PL INSTALLDIRS=vendor
 %perl_gen_filelist
 
 %files -f %{name}.files
-%defattr(-,root,root,755)
 %doc Changes examples ignore.txt README
 
 %changelog

urandom.patch

@@ -0,0 +1,60 @@
+commit e3a854a4305004b1b930dcde16e609ebccc9d78b
+Author: Tina Müller <cpan2@tinita.de>
+Date:   Wed May 28 16:21:08 2025 +0200
+
+    Use Crypt::URandom for generation of nonce
+    
+    See https://nvd.nist.gov/vuln/detail/CVE-2024-58036
+    
+    The result is a string of hex digits with the same length as before, 16.
+
+diff --git a/Makefile.PL b/Makefile.PL
+index 0865ac2..301aac2 100644
+--- a/Makefile.PL
++++ b/Makefile.PL
+@@ -12,7 +12,7 @@ requires 'JSON';
+ requires 'Mouse';
+ requires 'Encode';
+ requires 'Net::OAuth';
+-requires 'Data::Random';
++requires 'Crypt::URandom';
+ requires 'common::sense';
+ requires 'File::Basename';
+ requires 'LWP::UserAgent';
+diff --git a/lib/Net/Dropbox/API.pm b/lib/Net/Dropbox/API.pm
+index bcdec21..3d53799 100644
+--- a/lib/Net/Dropbox/API.pm
++++ b/lib/Net/Dropbox/API.pm
+@@ -8,7 +8,7 @@ use Net::OAuth;
+ use LWP::UserAgent;
+ use URI;
+ use HTTP::Request::Common;
+-use Data::Random qw(rand_chars);
++use Crypt::URandom qw(urandom);
+ use Encode;
+ 
+ =head1 NAME
+@@ -382,7 +382,7 @@ Generate a different nonce for every request.
+ 
+ =cut
+ 
+-sub nonce { join( '', rand_chars( size => 16, set => 'alphanumeric' )); }
++sub nonce { unpack("H*", urandom(8)); }
+ 
+ sub _talk {
+     my $self    = shift;
+diff --git a/t/nonce.t b/t/nonce.t
+new file mode 100644
+index 0000000..7be9762
+--- /dev/null
++++ b/t/nonce.t
+@@ -0,0 +1,9 @@
++use strict;
++use warnings;
++use Test::More;
++use Net::Dropbox::API;
++
++my $nonce = Net::Dropbox::API::nonce();
++like $nonce, qr{^[a-zA-Z0-9]{16}\z}, 'expected nonce content';
++
++done_testing;