Accepting request 1329172 from devel:languages:python

- Add CVE-2025-67221.patch to fix write outsize of allocated memory
  on json dump (bsc#1257121, gh#ijl/orjson#637)

- Update to 3.11.5 (bsc#1257121, CVE-2025-67221):
  * Show simple error message instead of traceback when attempting to
    build on unsupported Python versions.

OBS-URL: https://build.opensuse.org/request/show/1329172
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-orjson?expand=0&rev=14

CVE-2025-67221.patch

@@ -0,0 +1,45 @@
+From e959d90ac722022b781b19f86e6ea9adaba8e383 Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <dani@danigm.net>
+Date: Fri, 23 Jan 2026 20:22:23 +0100
+Subject: [PATCH] formatter: reserve_minimum in end_ methods
+
+In highly nested json objects it's possible to have a lot of consecutive
+closing characters that are added by end_array and end_object. These
+methods adds one byte without checking the buffer capacity, so it's
+possible to try to write when there's no capacity.
+
+This patch makes sure that the buffer has at least minimum space before
+writing.
+
+This is the upstream commit that removes this check: c369ea44820e2e0798f17f99a0dff65bec2186a9
+```
+$ git log -p c369ea44820e2e0798f17f99a0dff65bec2186a9 -- src/serialize/writer/formatter.rs
+```
+
+Fix https://github.com/ijl/orjson/issues/636
+---
+ src/serialize/writer/formatter.rs | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: orjson-3.11.5/src/serialize/writer/formatter.rs
+===================================================================
+--- orjson-3.11.5.orig/src/serialize/writer/formatter.rs
++++ orjson-3.11.5/src/serialize/writer/formatter.rs
+@@ -131,7 +131,7 @@ pub(crate) trait Formatter {
+     where
+         W: ?Sized + WriteExt + bytes::BufMut,
+     {
+-        debug_assert_has_capacity!(writer);
++        reserve_minimum!(writer);
+         unsafe {
+             writer.put_u8(b']');
+         }
+@@ -175,7 +175,7 @@ pub(crate) trait Formatter {
+     where
+         W: ?Sized + WriteExt + bytes::BufMut,
+     {
+-        debug_assert_has_capacity!(writer);
++        reserve_minimum!(writer);
+         unsafe {
+             writer.put_u8(b'}');
+         }

orjson-3.11.5-devendored.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d02db69552e9bfbb9cc9dfc279924d2cafd1e7111398ec548e82c3011c1e6579
+size 170776

orjson-3.11.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:82393ab47b4fe44ffd0a7659fa9cfaacc717eb617c93cde83795f14af5c2e9d5
+size 5972347

python-orjson.changes

@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Mon Jan 26 08:45:25 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2025-67221.patch to fix write outsize of allocated memory
+  on json dump (bsc#1257121, gh#ijl/orjson#637)
+
+-------------------------------------------------------------------
+Fri Jan 23 10:22:26 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 3.11.5 (bsc#1257121, CVE-2025-67221):
+  * Show simple error message instead of traceback when attempting to
+    build on unsupported Python versions.
+
+-------------------------------------------------------------------
+Thu Nov 20 10:00:42 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.11.4
+  * ABI compatibility with CPython 3.15 alpha 1.
+  * Publish PyPI wheels for 3.14 and manylinux i686, manylinux
+    arm7, manylinux ppc64le, manylinux s390x.
+  * Build now requires a C compiler.
+
+-------------------------------------------------------------------
+Mon Sep 15 14:46:50 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 3.11.3
+  * ABI compatibility with CPython 3.14 beta 4.
+  * Drop support for Python 3.8.
+  * Use a deserialization buffer allocated per request instead of a shared
+    buffer allocated on import.
+  * Fix str on big-endian architectures.
+  * Build now depends on Rust 1.85 or later instead of 1.82.
+  * Fix PyPI project metadata when using maturin 1.9.2 or later.
+
 -------------------------------------------------------------------
 Fri Feb  7 12:53:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
 

python-orjson.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-orjson
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-orjson
-Version:        3.10.15
+Version:        3.11.5
 Release:        0
 Summary:        Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy
 License:        Apache-2.0 OR MIT
@@ -29,8 +29,10 @@ Source1:        vendor.tar.xz
 Source2:        https://files.pythonhosted.org/packages/source/o/orjson/orjson-%{version}.tar.gz
 Source3:        devendor-sdist.sh
 Source4:        PACKAGING_README.md
-BuildRequires:  %{python_module base >= 3.8}
-BuildRequires:  %{python_module maturin >= 1}
+# PATCH-FIX-OPENSUSE CVE-2025-67221.patch gh#ijl/orjson#637
+Patch0:         CVE-2025-67221.patch
+BuildRequires:  %{python_module base >= 3.9}
+BuildRequires:  %{python_module maturin >= 1.9.2}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
@@ -53,7 +55,7 @@ orjson is a fast JSON library for Python.
 It benchmarks as the fastest Python library for JSON.
 
 %prep
-%autosetup -a1 -n orjson-%{version}
+%autosetup -p1 -a1 -n orjson-%{version}
 
 %build
 %pyproject_wheel