Accepting request 1328178 from devel:languages:python

Depends on:
 - New python-Pillow: sr#1328176
 - New python-tinycss2: sr#1328174

- Update to 68.0 (bsc#1256936, CVE-2025-68616):
  # Security
  * Always use URL fetcher for HTTP redirects
  # Python API
  * default_url_fetcher() is deprecated, use the new URLFetcher class
    instead, see URL Fetchers for more information about URL fetchers
  * DocumentMetadata.generate_rdf_metadata is now a method that can be
    overridden instead of a parameter, see Factur-X / ZUGFeRD
    (Electronic Invoices) for examples to create e-invoices
  # Features
  * #2609, #2603, #351: Refactor URL fetcher API
  * #2632: Support legacy 0 value for angles
  * #2627: Add font-face support to SVG
  * #2646, #2255: Add font shorthand support for SVG text elements
  * #2590, #1749: Honor language-specific rules for text-transform
  * #2645, #2613: Improve SVG and SVG emojis rendering
  * #2658, #2583: Add CLI for Factur-X / ZUGFeRD e-invoices
  # Bug fixes
  * #2649: Refactor URL fetcher API
  * #2643, #2628: Handle box-sizing: border-box in grid layout
  * #2641, #1875: Process whitespace after checking all pending targets
  * #2488, #2485: Preserve page groups during layout repagination
  * #2642, #2631: Don’t use isolated transparency groups
  * #2637: Fix repeating radial gradients rendering
  * #2622: Fix validation of colors
  * #2626: Share grid items rendering advancement between a box and its copies
  * #2621: Correctly handle fallback values of attr()
  * #2619: Fix SVG fonts
  * #2629: Always define extra skip height that may be used after
  * #2648: Fix numbers validation in font-feature-settings

OBS-URL: https://build.opensuse.org/request/show/1328178
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-weasyprint?expand=0&rev=21

CVE-2025-68616.patch

@@ -1,86 +0,0 @@
-From 64ffeea2c2dca4377b7ec4e9e3cf5dfe1a9b6c0a Mon Sep 17 00:00:00 2001
-From: Guillaume Ayoub <guillaume@courtbouillon.org>
-Date: Wed, 31 Dec 2025 19:09:20 +0100
-Subject: [PATCH 1/2] =?UTF-8?q?Don=E2=80=99t=20allow=20redirects=20with=20?=
- =?UTF-8?q?deprecated=20default=5Furl=5Ffetcher=20function?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a security fix.
-
-When calling default_url_fetcher in a custom URL fetcher, redirects are handled by
-Python and don’t go though the custom URL fetcher, allowing attackers to make WeasyPrint
-reach URLs forbidden by the custom URL fetcher.
-
-See CVE-2025-68616.
----
- weasyprint/urls.py | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-Index: weasyprint-65.1/weasyprint/urls.py
-===================================================================
---- weasyprint-65.1.orig/weasyprint/urls.py
-+++ weasyprint-65.1/weasyprint/urls.py
-@@ -10,7 +10,8 @@ import zlib
- from gzip import GzipFile
- from pathlib import Path
- from urllib.parse import quote, unquote, urljoin, urlsplit
--from urllib.request import Request, pathname2url, urlopen
-+from urllib.request import Request, pathname2url, build_opener
-+from urllib import request
- 
- from . import __version__
- from .logger import LOGGER
-@@ -177,7 +178,8 @@ def ensure_url(string):
-     return string if url_is_absolute(string) else path2url(string)
- 
- 
--def default_url_fetcher(url, timeout=10, ssl_context=None):
-+def default_url_fetcher(url, timeout=10, ssl_context=None,
-+                        allow_redirects=False):
-     """Fetch an external resource such as an image or stylesheet.
- 
-     Another callable with the same signature can be given as the
-@@ -190,6 +192,8 @@ def default_url_fetcher(url, timeout=10,
-         The number of seconds before HTTP requests are dropped.
-     :param ssl.SSLContext ssl_context:
-         An SSL context used for HTTP requests.
-+    :param bool allow_redirects:
-+        Whether HTTP redirects must be followed.
-     :raises: An exception indicating failure, e.g. :obj:`ValueError` on
-         syntactically invalid URL.
-     :returns: A :obj:`dict` with the following keys:
-@@ -214,15 +218,29 @@ def default_url_fetcher(url, timeout=10,
-         has to be closed manually.
- 
-     """
-+
-     if UNICODE_SCHEME_RE.match(url):
-         # See https://bugs.python.org/issue34702
-         if url.startswith('file://'):
-             url = url.split('?')[0]
- 
-         url = iri_to_uri(url)
--        response = urlopen(
--            Request(url, headers=HTTP_HEADERS), timeout=timeout,
--            context=ssl_context)
-+
-+        # Default opener, redirects won't be followed
-+        handlers = [
-+            request.ProxyHandler(), request.UnknownHandler(), request.HTTPHandler(),
-+            request.HTTPDefaultErrorHandler(), request.FTPHandler(),
-+            request.FileHandler(), request.HTTPErrorProcessor(), request.DataHandler(),
-+            request.HTTPSHandler(context=ssl_context)]
-+        if allow_redirects:
-+            handlers.append(request.HTTPRedirectHandler())
-+
-+        opener = request.OpenerDirector()
-+        for handler in handlers:
-+            opener.add_handler(handler)
-+
-+        response = opener.open(
-+            Request(url, headers=HTTP_HEADERS), timeout=timeout)
-         response_info = response.info()
-         result = {
-             'redirected_url': response.geturl(),

python-weasyprint.changes

@@ -1,9 +1,110 @@
 -------------------------------------------------------------------
-Tue Jan 20 09:07:47 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
+Tue Jan 20 06:29:53 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
 
-- Add CVE-2025-68616.patch to fix server-side request forgery (SSRF)
+- Update to 68.0 (bsc#1256936, CVE-2025-68616):
-  vulnerability in default fetcher.
+  # Security
-  (bsc#1256936, CVE-2025-68616, gh#Kozea/WeasyPrint@b6a14f0f3f4c)
+  * Always use URL fetcher for HTTP redirects
+  # Python API
+  * default_url_fetcher() is deprecated, use the new URLFetcher class
+    instead, see URL Fetchers for more information about URL fetchers
+  * DocumentMetadata.generate_rdf_metadata is now a method that can be
+    overridden instead of a parameter, see Factur-X / ZUGFeRD
+    (Electronic Invoices) for examples to create e-invoices
+  # Features
+  * #2609, #2603, #351: Refactor URL fetcher API
+  * #2632: Support legacy 0 value for angles
+  * #2627: Add font-face support to SVG
+  * #2646, #2255: Add font shorthand support for SVG text elements
+  * #2590, #1749: Honor language-specific rules for text-transform
+  * #2645, #2613: Improve SVG and SVG emojis rendering
+  * #2658, #2583: Add CLI for Factur-X / ZUGFeRD e-invoices
+  # Bug fixes
+  * #2649: Refactor URL fetcher API
+  * #2643, #2628: Handle box-sizing: border-box in grid layout
+  * #2641, #1875: Process whitespace after checking all pending targets
+  * #2488, #2485: Preserve page groups during layout repagination
+  * #2642, #2631: Don’t use isolated transparency groups
+  * #2637: Fix repeating radial gradients rendering
+  * #2622: Fix validation of colors
+  * #2626: Share grid items rendering advancement between a box and its copies
+  * #2621: Correctly handle fallback values of attr()
+  * #2619: Fix SVG fonts
+  * #2629: Always define extra skip height that may be used after
+  * #2648: Fix numbers validation in font-feature-settings
+  * #2648: Fix keyword values for text-decoration-thickness
+  * #2661: Respect inline images when defining minimum table width
+
+- 67.0:
+  # Features
+  * #2560, #640, #844, #1091, #2517: Support CMYK colors, PDF/X, color profiles and light-dark() function
+  * #2558, #1175: Support ::first-line, with financial support from Karte Technology
+  * #2552: Support CSS layers, with financial support from Code & Co.
+  * #2564, #2599, #2397: Allow page breaks in grid rows, with financial support from Ocean Recap
+  * #2568, #357: Support calc() and other mathematical functions
+  * #2575, #2574: Support PDF/A-1a, PDF/A-2a and PDF/A-3a
+  * #2611, #2573: Support PDF/A-4e and PDF/A-4f
+  * #2523: Display tofu for missing glyphs
+  * #2581: Add option to disable protocols in URL resolution
+  * #2570: Support rch, cap, rcap, rex, ic and ric font-relative units
+  * #2547, #2140: Support "only" keyword in media queries
+  # Bug fixes
+  * #2516, #1510: Fix rendering of first line of text with nested right float
+  * #2510, #1073, #2507: Avoid Pango crashes and font mismatches with @font-face rules referencing local fonts
+  * #2532, #2531: Use fonttools instancer instead of deprecated mutator API
+  * #2541: Fix syntax of functions
+  * #2543: Allow font-related units to access @font-face fonts
+  * #2525: Respect top margins and avoid overlapping footnotes for columns, with financial support from Code & Co.
+  * #2536: Remove Subtype key from font descriptor
+  * #2539: Fix min width for SVGs with intrinsic ratio but no intrinsic size
+  * #2537, #2533: Fix order of operators when drawing SVGs
+  * #2538: Don’t crash with nested unknown functions
+  * #2542: Don’t crash when lh and rlh are used for line height or font size
+  * #2540, #2528: Use locale encoding instead of filesystem encoding for font paths
+  * #2563, #2479: Don’t avoid float collisions for atomic flex items
+  * #2569: Don’t be case-sensitive for units
+  * #2567, #2566: Add x-default attribute for metadata description to be compliant with PDF/A
+  * #2586, #2571: Improve formatting contexts management
+  * #2600: Fix SVG image aspect ratio when only width or height is specified
+  * #2612, #2595: Clean block layout and fix corner cases
+  * #2522: Ignore preserveAspectRatio when SVG has no viewBox
+  * #2544: Allow to use a variable twice in a function
+  * #2555: Fix flex gap in right-to-left context
+  * #2591: Respect non-auto widths and fix padding of grid items
+  * #2601: Don’t crash when tagged tables are not displayed as tables
+  * #2607: Fix rendering of multiline textareas with PDF forms
+  * #2106: Force variable initialization to avoid crashes during column layout
+  * #2618, #2617: Fix rendering of relative grid and flex items
+
+-------------------------------------------------------------------
+Fri Sep 12 14:38:56 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 66.0
+  * #2475: Add support for 'lh' and 'rlh' units
+  * #2432, #2437: Report footnotes when text overflows because of orphans,
+    with financial support from Code & Co.
+  * #2256, #2466: Handle transform-origin in SVG
+  * #2445: Add parameter to have additional HTTP headers for url_fetcher
+  * #2471, #2506, #2500, #2460, #2363, #2470, #1872, #2153, #1838, #1837,
+    #1784, #1835, #2444, #2497, #2505, #2503, #1836, #2467: Improve PDF/UA
+    support, with financial support from NLnet
+  * #2425, #1557: Improve position of outside markers
+  * #2409, #2265: Draw circles instead of rectangles when drawing dotted borders
+  * #2416, #2270: Correctly split words for automatic hyphenation
+  * #2439, #2426: Don’t rely on URL protocols outside URL fetcher function
+  * #2433: Disable style for deprecated outline algorithm
+  * #2447, #2441, #2448: Improve min- and max-content calculation,
+    with financial support from Menutech
+  * #2454, #2442, #2449: Minor fixes for flex layout
+  * #2473, #2459: Include out-of-flow boxes in page layout progress,
+    with financial support from Pathfindr
+  * #2458: Replace deprecated warn logger function
+  * #2494, #1856: Fix bug with bottom margins in columns
+  * #2435: Make footnote calls inherit from footnotes
+  * #2484, #2456: Allow to avoid page breaks after table-row-group elements
+  * #2450: Draw background and borders for relative grid containers
+  * #2453: Don’t advance position_y for collapsed margins of discarded children
+  * #2493: Fix endless loop with CSS variables referencing each other
+  * #2502: Ignore bottom margin when calculating footnote overflow
 
 -------------------------------------------------------------------
 Tue May 20 12:11:26 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

python-weasyprint.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-weasyprint
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,31 +21,40 @@
 %global cssselect2_min_version 0.8.0
 %global fonttools_min_version  4.0.0
 %global tinyhtml5_min_version  2.0.0
-%global Pillow_min_version     9.1.0
+%global Pillow_min_version     12.1.0
 %global pypdf_min_version      0.11.0
 %global Pyphen_min_version     0.9.1
-%global tinycss2_min_version   1.4.0
+%global tinycss2_min_version   1.5.0
 %global zopfli_min_version     0.1.4
 
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
+
 %{?sle15_python_module_pythons}
 Name:           python-weasyprint
-Version:        65.1
+Version:        68.0
 Release:        0
 Summary:        Python module to convert web documents to PDF
 License:        BSD-3-Clause
 URL:            https://github.com/Kozea/WeasyPrint
 Source:         https://files.pythonhosted.org/packages/source/w/weasyprint/weasyprint-%{version}.tar.gz
 Source100:      python-weasyprint-rpmlintrc
-# PATCH-FIX-UPSTREAM CVE-2025-68616.patch Backported from gh#Kozea/WeasyPrint@b6a14f0f3f4c
-Patch0:         CVE-2025-68616.patch
 BuildRequires:  %{python_module base >= 3.9}
 BuildRequires:  %{python_module flit-core}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools >= 39.2.0}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
+%if %{with libalternatives}
+Requires:       alts
+BuildRequires:  alts
+%else
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
+%endif
 Requires:       libgobject-2_0-0
 Requires:       pango
 Requires:       python-Pillow >= %{Pillow_min_version}
@@ -53,7 +62,6 @@ Requires:       python-Pyphen >= %{Pyphen_min_version}
 Requires:       python-base >= 3.9
 Requires:       python-cffi >= %{cffi_min_version}
 Requires:       python-cssselect2 >= %{cssselect2_min_version}
-Requires:       python-html5lib >= %{html5lib_min_version}
 Requires:       python-pydyf >= %{pypdf_min_version}
 Requires:       python-tinycss2 >= %{tinycss2_min_version}
 Requires:       python-tinyhtml5 >= %{tinyhtml5_min_version}
@@ -109,6 +117,10 @@ export PYTHONPATH=$PWD
 %check
 %pytest -k 'not test_linear_gradients and (5 or 12)'  tests
 
+%pre
+# removing old update-alternatives entries
+%python_libalternatives_reset_alternative weasyprint
+
 %post
 %python_install_alternative weasyprint
 

weasyprint-65.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:120281bdbd42ffaa7d7e5cedbe3182a2cef36ea5ad97fe9f357e43be6a1e58ea
-size 499028

weasyprint-68.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:447f40898b747cb44ac31a5d493d512e7441fd56e13f63744c099383bbf9cda9
+size 1541418