Add CVE-2025-68480.patch to fix CVE-2025-68480 (bsc#1255473)

2026-01-09 16:32:13 +01:00
3 changed files with 113 additions and 0 deletions
--- a/CVE-2025-68480.patch
+++ b/CVE-2025-68480.patch
@@ -0,0 +1,106 @@
 From 0356a3f1c307830f8ded56d823abca5611c594c9 Mon Sep 17 00:00:00 2001
 From: Jared Deckard <jared@shademaps.com>
 Date: Thu, 18 Dec 2025 23:57:28 -0600
 Subject: [PATCH 1/4] Merge error store messages without rebuilding collections
 ---
 src/marshmallow/error_store.py | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)
 Index: marshmallow-3.20.2/src/marshmallow/error_store.py
 ===================================================================
 --- marshmallow-3.20.2.orig/src/marshmallow/error_store.py
 +++ marshmallow-3.20.2/src/marshmallow/error_store.py
@@ -18,12 +18,19 @@ class ErrorStore:
         # field error  -> store/merge error messages under field name key
         # schema error -> if string or list, store/merge under _schema key
         #              -> if dict, store/merge with other top-level keys
 +        messages = copy_containers(messages)
         if field_name != SCHEMA or not isinstance(messages, dict):
             messages = {field_name: messages}
         if index is not None:
             messages = {index: messages}
         self.errors = merge_errors(self.errors, messages)
 +def copy_containers(errors):
 +    if isinstance(errors, list):
 +        return [copy_containers(val) for val in errors]
 +    if isinstance(errors, dict):
 +        return {key: copy_containers(val) for key, val in errors.items()}
 +    return errors
 def merge_errors(errors1, errors2):
     """Deeply merge two error messages.
@@ -37,24 +44,26 @@ def merge_errors(errors1, errors2):
         return errors1
     if isinstance(errors1, list):
         if isinstance(errors2, list):
 -            return errors1 + errors2
 +            errors1.extend(errors2)
 +            return errors1
         if isinstance(errors2, dict):
 -            return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
 -        return errors1 + [errors2]
 +            errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
 +            return errors2
 +        errors1.append(errors2)
 +        return errors1
     if isinstance(errors1, dict):
 -        if isinstance(errors2, list):
 -            return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
         if isinstance(errors2, dict):
 -            errors = dict(errors1)
             for key, val in errors2.items():
 -                if key in errors:
 -                    errors[key] = merge_errors(errors[key], val)
 +                if key in errors1:
 +                    errors1[key] = merge_errors(errors1[key], val)
                 else:
 -                    errors[key] = val
 -            return errors
 -        return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
 +                    errors1[key] = val
 +            return errors1
 +        errors1[SCHEMA] = merge_errors(errors1.get(SCHEMA), errors2)
 +        return errors1
     if isinstance(errors2, list):
 -        return [errors1] + errors2
 +        return [errors1, *errors2]
     if isinstance(errors2, dict):
 -        return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
 +        errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
 +        return errors2
     return [errors1, errors2]
 Index: marshmallow-3.20.2/tests/test_error_store.py
 ===================================================================
 --- marshmallow-3.20.2.orig/tests/test_error_store.py
 +++ marshmallow-3.20.2/tests/test_error_store.py
@@ -1,7 +1,7 @@
 from collections import namedtuple
 from marshmallow import missing
 -from marshmallow.error_store import merge_errors
 +from marshmallow.error_store import merge_errors, ErrorStore
 def test_missing_is_falsy():
@@ -141,3 +141,19 @@ class TestMergeErrors:
         assert {"field1": {"field2": ["error1", "error2"]}} == merge_errors(
             {"field1": {"field2": "error1"}}, {"field1": {"field2": "error2"}}
         )
 +
 +    def test_list_not_changed(self):
 +        store = ErrorStore()
 +        message = ["foo"]
 +        store.store_error(message)
 +        store.store_error(message)
 +        assert message == ["foo"]
 +        assert store.errors == {"_schema": ["foo", "foo"]}
 +
 +    def test_dict_not_changed(self):
 +        store = ErrorStore()
 +        message = {"foo": ["bar"]}
 +        store.store_error(message)
 +        store.store_error(message)
 +        assert message == {"foo": ["bar"]}
 +        assert store.errors == {"foo": ["bar", "bar"]}
--- a/python-marshmallow.changes
+++ b/python-marshmallow.changes
@@ -1,3 +1,8 @@
 -------------------------------------------------------------------
 Fri Jan  9 15:08:39 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
 - Add CVE-2025-68480.patch to fix CVE-2025-68480 (bsc#1255473)
 -------------------------------------------------------------------
 Sun Oct 27 22:54:09 UTC 2024 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
--- a/python-marshmallow.spec
+++ b/python-marshmallow.spec
@@ -27,6 +27,8 @@ URL:            https://marshmallow.readthedocs.io/
 Source:         https://files.pythonhosted.org/packages/source/m/marshmallow/marshmallow-%{version}.tar.gz
 # https://github.com/humitos/sphinx-version-warning/issues/22
 Patch0:         python-marshmallow-no-version-warning.patch
 # PATCH-FIX-UPSTREAM CVE-2025-68480.patch bsc#1255473
 Patch1:         CVE-2025-68480.patch
 BuildRequires:  %{python_module autodocsumm}
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module pip}