Accepting request 1238297 from devel:languages:perl

- Also provide perl(XML::Twig::XPath), as provided by the file
  /usr/lib/perl5/vendor_perl/*/XML/Twig/XPath.pm. (forwarded request 1238296 from dimstar)

OBS-URL: https://build.opensuse.org/request/show/1238297
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/perl-XML-Twig?expand=0&rev=37

cpanspec.yml

@@ -4,16 +4,18 @@
 #sources:
 #  - source1
 #  - source2
-#patches:
-#  foo.patch: -p1
-#  bar.patch:
+patches:
+  perl-XML-Twig-CVE-2016-9180.patch: -p1
 preamble: |-
  BuildRequires:  expat
  BuildRequires:  perl-HTML-Tidy
  BuildRequires:  perl-IO-CaptureOutput
+ BuildRequires:  perl-Test-Exception
  BuildRequires:  perl-Test-Pod
+ BuildRequires:  perl-Text-Iconv
  BuildRequires:  perl-Text-Wrapper
  BuildRequires:  perl-Tie-IxHash
+ BuildRequires:  perl-Unicode-Map8
  BuildRequires:  perl-XML-Filter-BufferText
  BuildRequires:  perl-XML-Handler-YAWriter
  BuildRequires:  perl-XML-Parser
@@ -24,8 +26,3 @@ preamble: |-
  Requires:       expat
  Requires:       perl-XML-Parser
  Requires:       perl(Encode)
- BuildRequires:     perl-HTML-Tidy
- BuildRequires:     perl-Text-Wrapper
- BuildRequires:     perl-Tie-IxHash
- BuildRequires:     perl-XML-XPath
- BuildRequires:     perl-XML-XPathEngine

perl-XML-Twig-CVE-2016-9180.patch

@@ -0,0 +1,85 @@
+Description: Update documentation for XML::Twig.
+ Mention problems with expand_external_ents and add
+ information about new no_xxe argument.
+ .
+ Additionally add tests for both expand_external_ents and no_xxe.
+Origin: vendor
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
+Bug-Debian: https://bugs.debian.org/842893
+Author: gregor herrmann <gregoa@debian.org>
+Last-Update: 2019-03-30
+
+--- a/Twig_pm.slow
++++ b/Twig_pm.slow
+@@ -10561,6 +10561,15 @@
+ pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
+ cases.
+ 
++B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
++as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
++To completely turn off expanding external entities use C<no_xxe>.
++
++=item no_xxe
++
++If this argument is set to a true value, expanding of external entities is
++turned off.
++
+ =item load_DTD
+ 
+ If this argument is set to a true value, C<parse> or C<parsefile> on the twig
+--- /dev/null
++++ b/t/CVE-2016-9180.t
+@@ -0,0 +1,41 @@
++#!/usr/bin/perl
++
++use strict;
++use warnings;
++use Test::More;
++use Test::Exception;
++
++BEGIN { use_ok('XML::Twig'); }
++
++my $twig = XML::Twig->new( expand_external_ents => 1 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++my $result = $twig->sprint;
++like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
++
++TODO: {
++    local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097';
++
++$twig = XML::Twig->new( expand_external_ents => 0 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++$result = $twig->sprint;
++unlike( $result, qr/Boom/,
++    'external entity not expanded (expand_external_ents 0)' );
++
++$twig = XML::Twig->new( expand_external_ents => -1 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++$result = $twig->sprint;
++unlike( $result, qr/Boom/,
++    'external entity not expanded and no fail (expand_external_ents -1)' );
++
++}
++
++$twig = XML::Twig->new( no_xxe => 1 );
++throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
++    'external entity not expanded (no_xxe 1)';
++
++$twig = XML::Twig->new( no_xxe => 0 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++$result = $twig->sprint;
++like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
++
++done_testing();
+--- /dev/null
++++ b/t/CVE-2016-9180.txt
+@@ -0,0 +1 @@
++Boom
+--- /dev/null
++++ b/t/CVE-2016-9180.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE foo [
++	<!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
++]>
++<root>&xxe;</root>

perl-XML-Twig.changes

@@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Thu Jan 16 15:51:17 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Also provide perl(XML::Twig::XPath), as provided by the file
+  /usr/lib/perl5/vendor_perl/*/XML/Twig/XPath.pm.
+
+-------------------------------------------------------------------
+Fri Jan 10 17:56:14 UTC 2025 - Tina Müller <tina.mueller@suse.com>
+
+- Update perl-XML-Twig-CVE-2016-9180.patch
+
+-------------------------------------------------------------------
+Sat Dec 14 05:34:55 UTC 2024 - Tina Müller <timueller+perl@suse.de>
+
+- updated to 3.530.0 (3.53)
+   see /usr/share/doc/packages/perl-XML-Twig/Changes
+
+  3.53 - 2024-12-10 - minor maintenance release
+  - fixed warning from recent perl version
+    See RT#155759 https://rt.cpan.org/Public/Bug/Display.html?id=155759
+  - fixed bug with namespaced elements in navigation
+  - added multiclass selectors in navigation and handler triggers
+    (css style, eg elt.class1.class2)
+  - fixed bug with dots in element names confusing navigation
+    conditions in some cases
+  - fixed output when a CDATA section includes a CDATA end marker
+    spotted by Djibril
+
+-------------------------------------------------------------------
+Mon Mar  4 16:15:09 UTC 2024 - pgajdos@suse.com
+
+- Use %autosetup macro. Allows to eliminate the usage of deprecated
+  %patchN
+
+-------------------------------------------------------------------
+Mon Jul 13 17:35:09 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix [bsc#1008644, CVE-2016-9180]
+  * Setting expand_external_ents to 0 or -1 currently doesn't work  
+    as expected; To completely turn off expanding external entities
+    use no_xxe.
+  * Update documentation for XML::Twig to mention problems with
+    expand_external_ents and add information about new no_xxe argument
+  * Add test CVE-2016-9180.t
+  * Add test build-requirements:
+    perl-Test-Exception, perl-Text-Iconv, perl-Unicode-Map8
+- Add perl-XML-Twig-CVE-2016-9180.patch
+
 -------------------------------------------------------------------
 Thu Nov 24 07:28:15 UTC 2016 - coolo@suse.com
 

perl-XML-Twig.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package perl-XML-Twig
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,34 +12,46 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
-Name:           perl-XML-Twig
-Version:        3.52
-Release:        0
 %define cpan_name XML-Twig
-Summary:        Perl Module for Processing Huge Xml Documents in Tree Mode
-License:        Artistic-1.0 or GPL-1.0+
-Group:          Development/Libraries/Perl
-Url:            http://search.cpan.org/dist/XML-Twig/
-Source0:        http://www.cpan.org/authors/id/M/MI/MIROD/%{cpan_name}-%{version}.tar.gz
+Name:           perl-XML-Twig
+Version:        3.530.0
+Release:        0
+# 3.53 -> normalize -> 3.530.0
+%define cpan_version 3.53
+License:        Artistic-1.0 OR GPL-1.0-or-later
+Summary:        XML, The Perl Way
+URL:            https://metacpan.org/release/%{cpan_name}
+Source0:        https://cpan.metacpan.org/authors/id/M/MI/MIROD/%{cpan_name}-%{cpan_version}.tar.gz
 Source1:        cpanspec.yml
+Patch0:         perl-XML-Twig-CVE-2016-9180.patch
 BuildArch:      noarch
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  perl
 BuildRequires:  perl-macros
 BuildRequires:  perl(XML::Parser) >= 2.23
 Requires:       perl(XML::Parser) >= 2.23
+Provides:       perl(XML::Twig) = %{version}
+Provides:       perl(XML::Twig::Elt)
+Provides:       perl(XML::Twig::Entity)
+Provides:       perl(XML::Twig::Entity_list)
+Provides:       perl(XML::Twig::Notation)
+Provides:       perl(XML::Twig::Notation_list)
+Provides:       perl(XML::Twig::XPath)
+%undefine       __perllib_provides
 %{perl_requires}
 # MANUAL BEGIN
 BuildRequires:  expat
 BuildRequires:  perl-HTML-Tidy
 BuildRequires:  perl-IO-CaptureOutput
+BuildRequires:  perl-Test-Exception
 BuildRequires:  perl-Test-Pod
+BuildRequires:  perl-Text-Iconv
 BuildRequires:  perl-Text-Wrapper
 BuildRequires:  perl-Tie-IxHash
+BuildRequires:  perl-Unicode-Map8
 BuildRequires:  perl-XML-Filter-BufferText
 BuildRequires:  perl-XML-Handler-YAWriter
 BuildRequires:  perl-XML-Parser
@@ -50,11 +62,6 @@ BuildRequires:  perl-XML-XPathEngine
 Requires:       expat
 Requires:       perl-XML-Parser
 Requires:       perl(Encode)
-BuildRequires:  perl-HTML-Tidy
-BuildRequires:  perl-Text-Wrapper
-BuildRequires:  perl-Tie-IxHash
-BuildRequires:  perl-XML-XPath
-BuildRequires:  perl-XML-XPathEngine
 # MANUAL END
 
 %description
@@ -74,15 +81,16 @@ care of a lot of the (usually) annoying (but sometimes necessary) features
 that come with XML and XML::Parser.
 
 %prep
-%setup -q -n %{cpan_name}-%{version}
-find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
+%autosetup  -n %{cpan_name}-%{cpan_version} -p1
+
+find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -path "*/scripts/*" ! -name "configure" -print0 | xargs -0 chmod 644
 
 %build
-%{__perl} Makefile.PL INSTALLDIRS=vendor
-%{__make} %{?_smp_mflags}
+perl Makefile.PL INSTALLDIRS=vendor
+%make_build
 
 %check
-%{__make} test
+make test
 
 %install
 %perl_make_install
@@ -90,7 +98,6 @@ find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
 %perl_gen_filelist
 
 %files -f %{name}.files
-%defattr(-,root,root,755)
 %doc Changes check_optional_modules filter_for_5.005 README speedup Twig_pm.slow
 
 %changelog