Fix write outsize of allocated memory on json dump

Add CVE-2025-67221.patch to fix write outsize of allocated memory
on json dump (bsc#1257121, gh#ijl/orjson#637)

CVE-2025-67221.patch

@@ -0,0 +1,45 @@
+From e959d90ac722022b781b19f86e6ea9adaba8e383 Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <dani@danigm.net>
+Date: Fri, 23 Jan 2026 20:22:23 +0100
+Subject: [PATCH] formatter: reserve_minimum in end_ methods
+
+In highly nested json objects it's possible to have a lot of consecutive
+closing characters that are added by end_array and end_object. These
+methods adds one byte without checking the buffer capacity, so it's
+possible to try to write when there's no capacity.
+
+This patch makes sure that the buffer has at least minimum space before
+writing.
+
+This is the upstream commit that removes this check: c369ea44820e2e0798f17f99a0dff65bec2186a9
+```
+$ git log -p c369ea44820e2e0798f17f99a0dff65bec2186a9 -- src/serialize/writer/formatter.rs
+```
+
+Fix https://github.com/ijl/orjson/issues/636
+---
+ src/serialize/writer/formatter.rs | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: orjson-3.10.15/src/serialize/writer/formatter.rs
+===================================================================
+--- orjson-3.10.15.orig/src/serialize/writer/formatter.rs
++++ orjson-3.10.15/src/serialize/writer/formatter.rs
+@@ -202,7 +202,7 @@ pub trait Formatter {
+     where
+         W: ?Sized + io::Write + WriteExt,
+     {
+-        debug_assert_has_capacity!(writer);
++        reserve_minimum!(writer);
+         unsafe { writer.write_reserved_punctuation(b']').unwrap() };
+         Ok(())
+     }
+@@ -244,7 +244,7 @@ pub trait Formatter {
+     where
+         W: ?Sized + io::Write + WriteExt,
+     {
+-        debug_assert_has_capacity!(writer);
++        reserve_minimum!(writer);
+         unsafe {
+             writer.write_reserved_punctuation(b'}').unwrap();
+         }

PACKAGING_README.md

@@ -0,0 +1,7 @@
+# Packaging python-orjson
+
+1. Change the version in the spec file
+2. Delete the old sdist
+3. Run `osc service runall download_files && sh ./devendor-sdist.sh && osc service runall cargo_vendor`
+4. Create a changelog entry
+5. Commit the changes as usual

python-orjson.changes

@@ -1,3 +1,96 @@
+-------------------------------------------------------------------
+Mon Jan 26 08:53:23 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2025-67221.patch to fix write outsize of allocated memory
+  on json dump (bsc#1257121, gh#ijl/orjson#637)
+
+-------------------------------------------------------------------
+Fri Feb  7 12:53:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.10.15
+  * Publish PyPI manylinux aarch64 wheels built and tested on aarch64.
+  * Publish PyPI musllinux aarch64 and arm7l wheels built and tested on aarch64.
+  * Publish PyPI manylinux Python 3.13 wheels for i686, arm7l, ppc64le, and s390x.
+
+-------------------------------------------------------------------
+Fri Jan 10 14:28:05 UTC 2025 - Ben Greiner <code@bnavigator.de>
+
+- Update to 3.10.14
+  * Specify build system dependency on maturin>=1,<2 again.
+  * Allocate memory using PyMem_Malloc() and similar APIs for
+    integration with pymalloc, mimalloc, and tracemalloc.
+  * Source distribution does not ship compressed test documents and
+    relevant tests skip if fixtures are not present.
+  * Build now depends on Rust 1.82 or later instead of 1.72.
+- Release 3.10.13
+  * Fix compatibility with maturin introducing a breaking change in
+    1.8.0 and specify a fixed version of maturin. Projects relying
+    on any previous version being buildable from source by end
+    users (via PEP 517) must upgrade to at least this version.
+- Remove pendulum from tests: Not desired in Ring1 and not
+  maintained upstream. It's only supported on x86_64.
+
+-------------------------------------------------------------------
+Mon Dec  2 11:05:13 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 3.10.12:
+  * Changed
+    - Publish PyPI manylinux i686 wheels.
+    - Publish PyPI musllinux i686 and arm7l wheels.
+    - Publish PyPI macOS wheels for Python 3.10 or later built on
+      macOS 15.
+    - Publish PyPI Windows wheels using trusted publishing.
+- update to 3.10.11:
+  * Changed
+    - Improve performance of UUIDs.
+    - Publish PyPI wheels with trusted publishing and PEP 740
+      attestations.
+    - Include text of licenses for vendored dependencies.
+- update to 3.10.10:
+  * Fixed
+    - Fix int serialization on s390x. This was introduced in 3.10.8.
+  * Changed
+    - Publish aarch64 manylinux_2_17 wheel for 3.13 to PyPI.
+- update to 3.10.9:
+  * Fixed
+    - Fix int serialization on 32-bit Python 3.8, 3.9, 3.10. This
+      was introduced in 3.10.8.
+- update to 3.10.8:
+  * Changed
+    - int serialization no longer chains OverflowError to the
+    - the __cause__ attribute of orjson.JSONEncodeError when range
+      exceeded.
+    - Compatibility with CPython 3.14 alpha 1.
+    - Improve performance.
+
+-------------------------------------------------------------------
+Mon Sep  9 10:29:05 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.10.7
+  * Improve performance of stable Rust amd64 builds.
+- from version 3.10.6
+  * Improve performance.
+- from version 3.10.5
+  * Improve performance.
+- from version 3.10.4
+  * Improve performance.
+- from version 3.10.3
+  * `manylinux` amd64 builds include runtime-detected AVX-512 `str`
+    implementation.
+  * Tests now compatible with numpy v2.
+- from version 3.10.2
+  * Fix crash serializing `str` introduced in 3.10.1.
+  * Improve performance.
+  * Drop support for arm7.
+- from version 3.10.1
+  * Serializing `numpy.ndarray` with non-native endianness raises
+    `orjson.JSONEncodeError`.
+  * Improve performance of serializing.
+- from version 3.10.0
+  * Support serializing `numpy.float16` (`numpy.half`).
+  * sdist uses metadata 2.3 instead of 2.1.
+  * Improve Windows PyPI builds.
+
 -------------------------------------------------------------------
 Thu Feb 29 06:46:24 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 

python-orjson.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-orjson
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,16 +18,19 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-orjson
-Version:        3.9.15
+Version:        3.10.15
 Release:        0
 Summary:        Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy
 License:        Apache-2.0 OR MIT
 URL:            https://github.com/ijl/orjson
-# Update: Run `osc service runall download_files && sh ./devendor-sdist.sh && osc service runall cargo_vendor`
+# Update: Change version and run `osc rm orjson-*.tar.gz && osc service runall download_files && sh ./devendor-sdist.sh && osc service runall cargo_vendor`
 Source0:        orjson-%{version}-devendored.tar.xz
 Source1:        vendor.tar.xz
 Source2:        https://files.pythonhosted.org/packages/source/o/orjson/orjson-%{version}.tar.gz
 Source3:        devendor-sdist.sh
+Source4:        PACKAGING_README.md
+# PATCH-FIX-OPENSUSE CVE-2025-67221.patch gh#ijl/orjson#637
+Patch0:         CVE-2025-67221.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module maturin >= 1}
 BuildRequires:  %{python_module pip}
@@ -38,7 +41,6 @@ BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 # SECTION test requirements
 BuildRequires:  %{python_module numpy}
-BuildRequires:  %{python_module pendulum}
 BuildRequires:  %{python_module psutil}
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module python-dateutil}
@@ -53,7 +55,7 @@ orjson is a fast JSON library for Python.
 It benchmarks as the fastest Python library for JSON.
 
 %prep
-%autosetup -a1 -n orjson-%{version}
+%autosetup -p1 -a1 -n orjson-%{version}
 
 %build
 %pyproject_wheel