diff --git a/CVE-2025-67221.patch b/CVE-2025-67221.patch new file mode 100644 index 0000000..2395626 --- /dev/null +++ b/CVE-2025-67221.patch @@ -0,0 +1,45 @@ +From e959d90ac722022b781b19f86e6ea9adaba8e383 Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno +Date: Fri, 23 Jan 2026 20:22:23 +0100 +Subject: [PATCH] formatter: reserve_minimum in end_ methods + +In highly nested json objects it's possible to have a lot of consecutive +closing characters that are added by end_array and end_object. These +methods adds one byte without checking the buffer capacity, so it's +possible to try to write when there's no capacity. + +This patch makes sure that the buffer has at least minimum space before +writing. + +This is the upstream commit that removes this check: c369ea44820e2e0798f17f99a0dff65bec2186a9 +``` +$ git log -p c369ea44820e2e0798f17f99a0dff65bec2186a9 -- src/serialize/writer/formatter.rs +``` + +Fix https://github.com/ijl/orjson/issues/636 +--- + src/serialize/writer/formatter.rs | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: orjson-3.10.15/src/serialize/writer/formatter.rs +=================================================================== +--- orjson-3.10.15.orig/src/serialize/writer/formatter.rs ++++ orjson-3.10.15/src/serialize/writer/formatter.rs +@@ -202,7 +202,7 @@ pub trait Formatter { + where + W: ?Sized + io::Write + WriteExt, + { +- debug_assert_has_capacity!(writer); ++ reserve_minimum!(writer); + unsafe { writer.write_reserved_punctuation(b']').unwrap() }; + Ok(()) + } +@@ -244,7 +244,7 @@ pub trait Formatter { + where + W: ?Sized + io::Write + WriteExt, + { +- debug_assert_has_capacity!(writer); ++ reserve_minimum!(writer); + unsafe { + writer.write_reserved_punctuation(b'}').unwrap(); + } diff --git a/python-orjson.changes b/python-orjson.changes index 56ff1c2..89dd49f 100644 --- a/python-orjson.changes +++ b/python-orjson.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Jan 26 08:53:23 UTC 2026 - Daniel Garcia + +- Add CVE-2025-67221.patch to fix write outsize of allocated memory + on json dump (bsc#1257121, gh#ijl/orjson#637) + ------------------------------------------------------------------- Fri Feb 7 12:53:21 UTC 2025 - John Paul Adrian Glaubitz diff --git a/python-orjson.spec b/python-orjson.spec index 373a2e9..b7fe788 100644 --- a/python-orjson.spec +++ b/python-orjson.spec @@ -29,6 +29,8 @@ Source1: vendor.tar.xz Source2: https://files.pythonhosted.org/packages/source/o/orjson/orjson-%{version}.tar.gz Source3: devendor-sdist.sh Source4: PACKAGING_README.md +# PATCH-FIX-OPENSUSE CVE-2025-67221.patch gh#ijl/orjson#637 +Patch0: CVE-2025-67221.patch BuildRequires: %{python_module base >= 3.8} BuildRequires: %{python_module maturin >= 1} BuildRequires: %{python_module pip} @@ -53,7 +55,7 @@ orjson is a fast JSON library for Python. It benchmarks as the fastest Python library for JSON. %prep -%autosetup -a1 -n orjson-%{version} +%autosetup -p1 -a1 -n orjson-%{version} %build %pyproject_wheel