Add CVE-2025-68480.patch to fix CVE-2025-68480 (bsc#1255473)

CVE-2025-68480.patch

@@ -0,0 +1,106 @@
+From 0356a3f1c307830f8ded56d823abca5611c594c9 Mon Sep 17 00:00:00 2001
+From: Jared Deckard <jared@shademaps.com>
+Date: Thu, 18 Dec 2025 23:57:28 -0600
+Subject: [PATCH 1/4] Merge error store messages without rebuilding collections
+
+---
+ src/marshmallow/error_store.py | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+Index: marshmallow-3.20.2/src/marshmallow/error_store.py
+===================================================================
+--- marshmallow-3.20.2.orig/src/marshmallow/error_store.py
++++ marshmallow-3.20.2/src/marshmallow/error_store.py
+@@ -18,12 +18,19 @@ class ErrorStore:
+         # field error  -> store/merge error messages under field name key
+         # schema error -> if string or list, store/merge under _schema key
+         #              -> if dict, store/merge with other top-level keys
++        messages = copy_containers(messages)
+         if field_name != SCHEMA or not isinstance(messages, dict):
+             messages = {field_name: messages}
+         if index is not None:
+             messages = {index: messages}
+         self.errors = merge_errors(self.errors, messages)
+ 
++def copy_containers(errors):
++    if isinstance(errors, list):
++        return [copy_containers(val) for val in errors]
++    if isinstance(errors, dict):
++        return {key: copy_containers(val) for key, val in errors.items()}
++    return errors
+ 
+ def merge_errors(errors1, errors2):
+     """Deeply merge two error messages.
+@@ -37,24 +44,26 @@ def merge_errors(errors1, errors2):
+         return errors1
+     if isinstance(errors1, list):
+         if isinstance(errors2, list):
+-            return errors1 + errors2
++            errors1.extend(errors2)
++            return errors1
+         if isinstance(errors2, dict):
+-            return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
+-        return errors1 + [errors2]
++            errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
++            return errors2
++        errors1.append(errors2)
++        return errors1
+     if isinstance(errors1, dict):
+-        if isinstance(errors2, list):
+-            return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
+         if isinstance(errors2, dict):
+-            errors = dict(errors1)
+             for key, val in errors2.items():
+-                if key in errors:
+-                    errors[key] = merge_errors(errors[key], val)
++                if key in errors1:
++                    errors1[key] = merge_errors(errors1[key], val)
+                 else:
+-                    errors[key] = val
+-            return errors
+-        return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
++                    errors1[key] = val
++            return errors1
++        errors1[SCHEMA] = merge_errors(errors1.get(SCHEMA), errors2)
++        return errors1
+     if isinstance(errors2, list):
+-        return [errors1] + errors2
++        return [errors1, *errors2]
+     if isinstance(errors2, dict):
+-        return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
++        errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
++        return errors2
+     return [errors1, errors2]
+Index: marshmallow-3.20.2/tests/test_error_store.py
+===================================================================
+--- marshmallow-3.20.2.orig/tests/test_error_store.py
++++ marshmallow-3.20.2/tests/test_error_store.py
+@@ -1,7 +1,7 @@
+ from collections import namedtuple
+ 
+ from marshmallow import missing
+-from marshmallow.error_store import merge_errors
++from marshmallow.error_store import merge_errors, ErrorStore
+ 
+ 
+ def test_missing_is_falsy():
+@@ -141,3 +141,19 @@ class TestMergeErrors:
+         assert {"field1": {"field2": ["error1", "error2"]}} == merge_errors(
+             {"field1": {"field2": "error1"}}, {"field1": {"field2": "error2"}}
+         )
++
++    def test_list_not_changed(self):
++        store = ErrorStore()
++        message = ["foo"]
++        store.store_error(message)
++        store.store_error(message)
++        assert message == ["foo"]
++        assert store.errors == {"_schema": ["foo", "foo"]}
++
++    def test_dict_not_changed(self):
++        store = ErrorStore()
++        message = {"foo": ["bar"]}
++        store.store_error(message)
++        store.store_error(message)
++        assert message == {"foo": ["bar"]}
++        assert store.errors == {"foo": ["bar", "bar"]}

_multibuild

@@ -1,3 +0,0 @@
-<multibuild>
-  <package>doc</package>
-</multibuild>

marshmallow-3.26.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bbe2adb5a03e6e3571b573f42527c6fe926e17467833660bebd11593ab8dfd57
-size 222095

python-marshmallow-no-version-warning.patch

@@ -0,0 +1,50 @@
+#I can't look into the issue deeply right now, but you can probably just
+#comment out 'versionwarning.extension' in docs/conf.py temporarily to get
+#past the error.
+#
+#
+#StevenLoria.com
+#
+#
+#On Wed, Mar 27, 2019 at 4:56 AM pgajdos <pgajdos@suse.cz> wrote:
+#
+#> Hello,
+#>
+#> I am currently trying to build above, versions:
+#> marshmallow 2.19.1
+#> sphinx-version-warning 1.1.2, tried also 1.1.1
+#>
+#> I am getting following error:
+#>
+#> [    4s] Exception occurred:
+#> [    4s]   File
+#> "/usr/lib/python3.7/site-packages/versionwarning/signals.py", line 66, in
+#> generate_versionwarning_data_json
+#> [    4s]     os.mkdir(data_path)
+#> [    4s] PermissionError: [Errno 13] Permission denied:
+#> '/usr/lib/python3.7/site-packages/versionwarning/_static/data'
+#> [    4s] The full traceback has been saved in
+#> /tmp/sphinx-err-ltqp3qvg.log, if you want to report the issue to the
+#> developers.
+#> [    4s] Please also report this if it was a user error, so that a better
+#> error message can be provided next time.
+#> [    4s] A bug report can be filed in the tracker at <
+#> https://github.com/sphinx-doc/sphinx/issues>. Thanks!
+#> [    4s] make: *** [Makefile:53: html] Error 2
+#> [    4s] error: Bad exit status from /var/tmp/rpm-tmp.X6uCeq (%build)
+#>
+#> I am perhaps hitting
+#>
+# https://github.com/humitos/sphinx-version-warning/issues/22
+Index: marshmallow-3.7.1/docs/conf.py
+===================================================================
+--- marshmallow-3.7.1.orig/docs/conf.py
++++ marshmallow-3.7.1/docs/conf.py
+@@ -14,7 +14,6 @@ extensions = [
+     "sphinx.ext.viewcode",
+     "alabaster",
+     "sphinx_issues",
+-    "versionwarning.extension",
+     "autodocsumm",
+ ]
+ 

python-marshmallow.changes

@@ -1,21 +1,7 @@
 -------------------------------------------------------------------
-Mon Dec 29 13:59:28 UTC 2025 - Markéta Machová <mmachova@suse.com>
+Fri Jan  9 15:08:39 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
 
-- update to 3.26.2 (bsc#1255473)
+- Add CVE-2025-68480.patch to fix CVE-2025-68480 (bsc#1255473)
-  * __version__, __parsed_version__, and __version_info__ attributes
-   are deprecated (:issue:`2227`). Use feature detection or
-   importlib.metadata.version("marshmallow") instead.
-  * Add many Meta option to Schema so it expects a collection by default.
-  * Drop support for Python 3.8.
-  * Improve type hint formatting for Field, Nested, and Function fields
-    to resolve PyCharm warnings.
-  * Custom validators should raise a ValidationError for invalid values.
-  * Deprecate context parameter of Schema.
-  * Field, Mapping, and Number should no longer be used as fields within
-    schemas. Use their subclasses instead.
-  * Typing: Improve type annotations
-  * CVE-2025-68480: Merge error store messages without rebuilding collections.
-- Drop python-marshmallow-no-version-warning.patch, fixed upstream
 
 -------------------------------------------------------------------
 Sun Oct 27 22:54:09 UTC 2024 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
@@ -265,7 +251,7 @@ Wed Sep 11 12:45:35 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
 -------------------------------------------------------------------
 Mon Aug 26 14:10:28 UTC 2019 - Marketa Calabkova <mcalabkova@suse.com>
 
-- Update to 3.0.1 (bsc#1109179, CVE-2018-17175):
+- Update to 3.0.1
   * Many changes, some of them breaking. For example:
   * Remove support for Python 2 (#1120). Only Python>=3.5 is supported.
   * Allow input value to be included in error messages for a number of fields.

python-marshmallow.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-marshmallow
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,27 +16,23 @@
 #
 
 
-%global flavor @BUILD_FLAVOR@%{nil}
-%if "%{flavor}" == "doc"
-%define psuffix -doc
-%bcond_without doc
-%else
-%define psuffix %{nil}
-%bcond_with doc
-%endif
 %{?sle15_python_module_pythons}
 Name:           python-marshmallow
-Version:        3.26.2
+Version:        3.20.2
 Release:        0
 Summary:        ORM/ODM/framework-agnostic library to convert datatypes from/to Python types
 License:        BSD-3-Clause AND MIT
 Group:          Development/Languages/Python
 URL:            https://marshmallow.readthedocs.io/
 Source:         https://files.pythonhosted.org/packages/source/m/marshmallow/marshmallow-%{version}.tar.gz
+# https://github.com/humitos/sphinx-version-warning/issues/22
+Patch0:         python-marshmallow-no-version-warning.patch
+# PATCH-FIX-UPSTREAM CVE-2025-68480.patch bsc#1255473
+Patch1:         CVE-2025-68480.patch
 BuildRequires:  %{python_module autodocsumm}
 BuildRequires:  %{python_module base >= 3.8}
-BuildRequires:  %{python_module flit-core}
 BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
@@ -45,29 +41,22 @@ Suggests:       %{name}-doc
 Suggests:       python-python-dateutil
 Suggests:       python-simplejson
 BuildArch:      noarch
-%if %{with doc}
 # SECTION doc build requirements
 %if 0%{?suse_version} == 1500 && 0%{?sle_version} >= 150400
 BuildRequires:  %{python_module Sphinx}
-BuildRequires:  %{python_module furo}
+BuildRequires:  %{python_module alabaster}
-BuildRequires:  %{python_module marshmallow = %{version}}
-BuildRequires:  %{python_module sphinx-autodoc-typehints}
-BuildRequires:  %{python_module sphinx-copybutton}
 BuildRequires:  %{python_module sphinx-issues}
-BuildRequires:  %{python_module sphinxext-opengraph}
+BuildRequires:  %{python_module sphinx-version-warning}
 %else
 BuildRequires:  python3-Sphinx
-BuildRequires:  python3-furo
+BuildRequires:  python3-alabaster
-BuildRequires:  python3-marshmallow = %{version}
-BuildRequires:  python3-sphinx-autodoc-typehints
 BuildRequires:  python3-sphinx-issues
-BuildRequires:  python3-sphinxcontrib-copybutton
+BuildRequires:  python3-sphinx-version-warning
-BuildRequires:  python3-sphinxext-opengraph
 %endif
 # /SECTION
-%endif
 # SECTION test requirements
 BuildRequires:  %{python_module pytest}
+BuildRequires:  %{python_module pytz}
 BuildRequires:  %{python_module simplejson}
 # /SECTION
 %python_subpackages
@@ -76,7 +65,7 @@ BuildRequires:  %{python_module simplejson}
 marshmallow is an ORM/ODM/framework-agnostic library for converting complex
 datatypes, such as objects, to and from native Python datatypes.
 
-%if %{with doc}
+%if 0%{?suse_version} > 1500
 %package -n %{name}-doc
 Summary:        Documentation files for %{name}
 Group:          Documentation/Other
@@ -92,31 +81,26 @@ HTML Documentation and examples for %{name}.
 %autopatch -p1
 
 %build
-%if !%{with doc}
 %pyproject_wheel
-%else
 sphinx-build docs/ docs/_build/html
 rm -r docs/_build/html/.buildinfo docs/_build/html/.doctrees
-%endif
 
 %install
-%if !%{with doc}
 %pyproject_install
 %python_expand %fdupes %{buildroot}%{$python_sitelib}
 
 %check
-# test_from_timestamp_with_overflow_value fails on 32bit with different error (the value gets caught earlier)
+%pytest
-%pytest -k "not test_from_timestamp_with_overflow_value"
 
 %files %{python_files}
-%doc CHANGELOG.rst README.rst
+%doc AUTHORS.rst CHANGELOG.rst README.rst
 %license LICENSE NOTICE
 %{python_sitelib}/marshmallow
 %{python_sitelib}/marshmallow-*.dist-info
-%else
 
+%if 0%{?suse_version} > 1500
 %files -n %{name}-doc
-%doc docs/examples docs/_build/html/
 %endif
+%doc examples docs/_build/html/
 
 %changelog