Accepting request 1110811 from home:mschreiner:branches:devel:languages:python

- Add avoid-ddos-on-carefully-crafted-spec-files.patch.
  - This patch fixes an endless loop that could be triggered by carefully crafting
    a malicious RPM spec file.
  - Issue was reported by David Anes, who also contributed the patch.
  - More details on the .spec file.
- Update to v0.14.1.
  - For a full changelog here, please check the .changes file.

OBS-URL: https://build.opensuse.org/request/show/1110811
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-python-rpm-spec?expand=0&rev=12

avoid-DoS-on-carefully-crafted-spec-files.patch

@@ -0,0 +1,28 @@
+Index: python-rpm-spec-0.14.1/pyrpm/spec.py
+===================================================================
+--- python-rpm-spec-0.14.1.orig/pyrpm/spec.py
++++ python-rpm-spec-0.14.1/pyrpm/spec.py
+@@ -490,7 +490,7 @@ class Spec:
+         return spec
+ 
+ 
+-def replace_macros(string: str, spec: Spec) -> str:
++def replace_macros(string: str, spec: Spec, max_attempts: int = 1000) -> str:
+     """Replace all macros in given string with corresponding values.
+ 
+     For example, a string '%{name}-%{version}.tar.gz' will be transformed to 'foo-2.0.tar.gz'.
+@@ -552,10 +552,12 @@ def replace_macros(string: str, spec: Sp
+ 
+         return match.string[match.start() : match.end()]
+ 
+-    # Recursively expand macros
++    # Recursively expand macros, respecting the limit imposed by 'max_attempts'
+     # Note: If macros are not defined in the spec file, this won't try to
+     # expand them.
+-    while True:
++    attempt = 0
++    while attempt < max_attempts:
++        attempt += 1
+         ret = re.sub(_macro_pattern, get_replacement_string, string)
+         if ret != string:
+             string = ret

python-python-rpm-spec.changes

@@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Wed Sep 13 06:08:44 UTC 2023 - Martin Schreiner <martin.schreiner@suse.com>
+
+- Add avoid-ddos-on-carefully-crafted-spec-files.patch.
+- Update to v0.14.1:
+  - Changes from v0.14.1:
+    - Fix replace_macro's behavior with user-defined conditional
+      macros.
+    - The parsing of package names was wrong when tab characters where
+      used in %package.
+    - Implement parsing of spec files where sub-packages (%package)
+      have their own sources and patches defined. Previously, the
+      parser would just fail with an error message like
+      AttributeError: 'Package' object has no attribute
+      'sources'. This is now fixed.
+    - Use SemVer for versioning. git tags are now prefixed with v,
+      e.g. v0.15.0 instead of 0.15.0.
+  - Changes from v0.14:
+    - Teach replace_macro how to deal with macros that are not wrapped
+      in curly braces.
+    - Add type annotations for tools like mypy, your IDE, and your
+      brain.
+  - Changes from v0.13:
+    - Fix parsing of BuildRequires:, Requires:, Conflicts:,
+      Obsoletes:, Provides: with comments at end of line..
+    - Add CI for Python 3.11.
+  - Changes from v0.12:
+    - Fix %description and %changelog with multi-line strings.
+  - Changes from v0.11:
+    - Add type annotations for tools like mypy, your IDE, and your
+      brain.
+    - replace_macros() function now always expects a Spec instance as
+      second argument. Does not make much sense without.
+    - Add support for parsing %description and %changelog.
+    - Add support for ExcludeArch and ExclusiveArch.
+    - Add warnings_enabled knob to issue warnings of type UserWarning
+      during spec file parsing.
+
 -------------------------------------------------------------------
 Tue Nov 17 04:47:01 UTC 2020 - John Vandenberg <jayvdb@gmail.com>
 

python-python-rpm-spec.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-python-rpm-spec
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,15 +17,21 @@
 
 
 %define skip_python2 1
-%{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           python-python-rpm-spec
-Version:        0.10
+Version:        0.14.1
 Release:        0
 Summary:        Python module for parsing RPM spec files
 License:        MIT
 Group:          Development/Libraries/Python
 URL:            https://github.com/bkircher/python-rpm-spec
 Source0:        https://files.pythonhosted.org/packages/source/p/python-rpm-spec/python-rpm-spec-%{version}.tar.gz
+# PATCH-FIX-OPENSUSE avoid-DoS-on-carefully-crafted-spec-files.patch bsc#1215274
+# this patch fixes an endless loop that could be triggered by carefully crafting
+# a malicious RPM spec file that uses macro expansions, causing a denial-of-service
+# PR to upstream code here: https://github.com/bkircher/python-rpm-spec/pull/62
+Patch0:         avoid-DoS-on-carefully-crafted-spec-files.patch
+BuildRequires:  %{python_module flit}
+BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  fdupes
@@ -42,12 +48,13 @@ access to various bits of information that is contained in the spec file.
 
 %prep
 %setup -q -n python-rpm-spec-%{version}
+%patch0 -p1
 
 %build
-%python_build
+%pyproject_wheel
 
 %install
-%python_install
+%pyproject_install
 %python_expand %fdupes %{buildroot}%{$python_sitelib}
 
 %check
@@ -56,6 +63,7 @@ access to various bits of information that is contained in the spec file.
 %files %{python_files}
 %doc CHANGELOG* README*
 %license LICENSE*
-%{python_sitelib}/*
+%{python_sitelib}/python_rpm_spec-%{version}*-info
+%{python_sitelib}/pyrpm
 
 %changelog

python-rpm-spec-0.10.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:19ce7d5cc305c883bbd36a1d2d8afc8a4b02f9dc5ef1c9a5bfd753c1cfdc16f1
-size 36393

python-rpm-spec-0.14.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0d4224d21ae59b60b19676cb9db027d1af132868cf8d0b4650960ff9468ebb4a
+size 59082