Fix write outsize of allocated memory on json dump

Add CVE-2025-67221.patch to fix write outsize of allocated memory on json dump (bsc#1257121, gh#ijl/orjson#637)
2026-01-26 09:53:38 +01:00
8 changed files with 28 additions and 56 deletions
--- a/CVE-2025-67221.patch
+++ b/CVE-2025-67221.patch
@@ -21,25 +21,25 @@ Fix https://github.com/ijl/orjson/issues/636
 src/serialize/writer/formatter.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-Index: orjson-3.11.5/src/serialize/writer/formatter.rs
+Index: orjson-3.10.15/src/serialize/writer/formatter.rs
 ===================================================================
--- orjson-3.11.5.orig/src/serialize/writer/formatter.rs
-+++ orjson-3.11.5/src/serialize/writer/formatter.rs
-@@ -131,7 +131,7 @@ pub(crate) trait Formatter {
+--- orjson-3.10.15.orig/src/serialize/writer/formatter.rs
+++ orjson-3.10.15/src/serialize/writer/formatter.rs
+@@ -202,7 +202,7 @@ pub trait Formatter {
     where
-         W: ?Sized + WriteExt + bytes::BufMut,
+         W: ?Sized + io::Write + WriteExt,
+     {
+-        debug_assert_has_capacity!(writer);
+        reserve_minimum!(writer);
+         unsafe { writer.write_reserved_punctuation(b']').unwrap() };
+         Ok(())
+     }
+@@ -244,7 +244,7 @@ pub trait Formatter {
+     where
+         W: ?Sized + io::Write + WriteExt,
     {
 -        debug_assert_has_capacity!(writer);
 +        reserve_minimum!(writer);
         unsafe {
-             writer.put_u8(b']');
-         }
-@@ -175,7 +175,7 @@ pub(crate) trait Formatter {
-     where
-         W: ?Sized + WriteExt + bytes::BufMut,
-     {
-        debug_assert_has_capacity!(writer);
-+        reserve_minimum!(writer);
-         unsafe {
-             writer.put_u8(b'}');
+             writer.write_reserved_punctuation(b'}').unwrap();
         }
--- a/orjson-3.10.15-devendored.tar.xz
+++ b/orjson-3.10.15-devendored.tar.xz
--- a/orjson-3.10.15.tar.gz
+++ b/orjson-3.10.15.tar.gz
--- a/orjson-3.11.5-devendored.tar.xz
+++ b/orjson-3.11.5-devendored.tar.xz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d02db69552e9bfbb9cc9dfc279924d2cafd1e7111398ec548e82c3011c1e6579
-size 170776
--- a/orjson-3.11.5.tar.gz
+++ b/orjson-3.11.5.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:82393ab47b4fe44ffd0a7659fa9cfaacc717eb617c93cde83795f14af5c2e9d5
-size 5972347
--- a/python-orjson.changes
+++ b/python-orjson.changes
@@ -1,37 +1,9 @@
 -------------------------------------------------------------------
-Mon Jan 26 08:45:25 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
+Mon Jan 26 08:53:23 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>

 - Add CVE-2025-67221.patch to fix write outsize of allocated memory
  on json dump (bsc#1257121, gh#ijl/orjson#637)

-------------------------------------------------------------------
-Fri Jan 23 10:22:26 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
-
- Update to 3.11.5 (bsc#1257121, CVE-2025-67221):
-  * Show simple error message instead of traceback when attempting to
-    build on unsupported Python versions.
-
-------------------------------------------------------------------
-Thu Nov 20 10:00:42 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to 3.11.4
-  * ABI compatibility with CPython 3.15 alpha 1.
-  * Publish PyPI wheels for 3.14 and manylinux i686, manylinux
-    arm7, manylinux ppc64le, manylinux s390x.
-  * Build now requires a C compiler.
-
-------------------------------------------------------------------
-Mon Sep 15 14:46:50 UTC 2025 - Markéta Machová <mmachova@suse.com>
-
- Update to 3.11.3
-  * ABI compatibility with CPython 3.14 beta 4.
-  * Drop support for Python 3.8.
-  * Use a deserialization buffer allocated per request instead of a shared
-    buffer allocated on import.
-  * Fix str on big-endian architectures.
-  * Build now depends on Rust 1.85 or later instead of 1.82.
-  * Fix PyPI project metadata when using maturin 1.9.2 or later.
-
 -------------------------------------------------------------------
 Fri Feb  7 12:53:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

--- a/python-orjson.spec
+++ b/python-orjson.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-orjson
 #
-# Copyright (c) 2026 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@

 %{?sle15_python_module_pythons}
 Name:           python-orjson
-Version:        3.11.5
+Version:        3.10.15
 Release:        0
 Summary:        Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy
 License:        Apache-2.0 OR MIT
@@ -31,8 +31,8 @@ Source3:        devendor-sdist.sh
 Source4:        PACKAGING_README.md
 # PATCH-FIX-OPENSUSE CVE-2025-67221.patch gh#ijl/orjson#637
 Patch0:         CVE-2025-67221.patch
-BuildRequires:  %{python_module base >= 3.9}
-BuildRequires:  %{python_module maturin >= 1.9.2}
+BuildRequires:  %{python_module base >= 3.8}
+BuildRequires:  %{python_module maturin >= 1}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
--- a/vendor.tar.xz
+++ b/vendor.tar.xz