Accepting request 1251853 from home:glaubitz:branches:devel:languages:python

- Update to 0.2.17
  * Pylint fixes
  * pre-commit autoupdate 2024-07-24
  * GitHub Actions: Add Python 3.13 beta 4 to the testing
  * Tidy up documentation
  * Keep GitHub Actions up to date with GitHub's Dependabot
  * Fix reDOS CVE in getColor function
  * Reuse background PDF file over multiple pages (#778)
  * Update import for breaking changes in python-bidi 0.5.0
  * Add support of base64 fonts
  * tests: Skip cases that download artifacts when http_proxy is set
  * Typos workflow
- Drop CVE-2024-25885.patch, merged upstream
- Update BuildRequires and Requires from pyproject.toml
- Use Python 3.11 on SLE-15 by default

OBS-URL: https://build.opensuse.org/request/show/1251853
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-xhtml2pdf?expand=0&rev=27

CVE-2024-25885.patch

@@ -1,49 +0,0 @@
-From de0fdbdf4224f3277419c2080ca0fd35fd5948a5 Mon Sep 17 00:00:00 2001
-From: David Trupiano <davetrupiano@gmail.com>
-Date: Tue, 22 Oct 2024 15:45:54 -0400
-Subject: [PATCH] fix reDOS CVE in getColor function
-
----
- xhtml2pdf/util.py | 17 +++++++++++++----
- 1 file changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/xhtml2pdf/util.py b/xhtml2pdf/util.py
-index ff4ac2a9..dafc1933 100644
---- a/xhtml2pdf/util.py
-+++ b/xhtml2pdf/util.py
-@@ -130,22 +130,31 @@ def getColor(value, default=None):
-     """
-     Convert to color value.
-     This returns a Color object instance from a text bit.
-+    Mitigation for ReDoS attack applied by limiting input length and validating input.
-     """
-     if value is None:
-         return None
-     if isinstance(value, Color):
-         return value
-     value = str(value).strip().lower()
-+
-+    # Limit the length of the value to prevent excessive input causing ReDoS
-+    if len(value) > 100:  # Set a reasonable length limit to avoid extreme inputs
-+        return default
-+
-     if value in {"transparent", "none"}:
-         return default
-     if value in COLOR_BY_NAME:
-         return COLOR_BY_NAME[value]
-     if value.startswith("#") and len(value) == 4:
-         value = "#" + value[1] + value[1] + value[2] + value[2] + value[3] + value[3]
--    elif rgb_re.search(value):
--        # e.g., value = "<css function: rgb(153, 51, 153)>", go figure:
--        r, g, b = (int(x) for x in rgb_re.search(value).groups())
--        value = f"#{r:02x}{g:02x}{b:02x}"
-+    elif rgb_re.match(value):
-+        # Use match instead of search to ensure proper regex usage and limit to valid patterns
-+        try:
-+            r, g, b = (int(x) for x in rgb_re.match(value).groups())
-+            value = f"#{r:02x}{g:02x}{b:02x}"
-+        except ValueError:
-+            pass
-     else:
-         # Shrug
-         pass

python-xhtml2pdf.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Mar 10 15:21:26 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 0.2.17
+  * Pylint fixes
+  * pre-commit autoupdate 2024-07-24
+  * GitHub Actions: Add Python 3.13 beta 4 to the testing
+  * Tidy up documentation
+  * Keep GitHub Actions up to date with GitHub's Dependabot
+  * Fix reDOS CVE in getColor function
+  * Reuse background PDF file over multiple pages (#778)
+  * Update import for breaking changes in python-bidi 0.5.0
+  * Add support of base64 fonts
+  * tests: Skip cases that download artifacts when http_proxy is set
+  * Typos workflow
+- Drop CVE-2024-25885.patch, merged upstream
+- Update BuildRequires and Requires from pyproject.toml
+- Use Python 3.11 on SLE-15 by default
+
 -------------------------------------------------------------------
 Wed Dec 18 10:01:41 UTC 2024 - Markéta Machová <mmachova@suse.com>
 

python-xhtml2pdf.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-xhtml2pdf
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,15 +16,14 @@
 #
 
 
+%{?sle15_python_module_pythons}
 Name:           python-xhtml2pdf
-Version:        0.2.16
+Version:        0.2.17
 Release:        0
 Summary:        PDF Generator Using HTML and CSS
 License:        Apache-2.0
 URL:            https://github.com/xhtml2pdf/xhtml2pdf
 Source:         https://github.com/xhtml2pdf/xhtml2pdf/archive/refs/tags/v%{version}.tar.gz#/xhtml2pdf-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM https://github.com/xhtml2pdf/xhtml2pdf/pull/784 fix reDOS CVE in getColor function
-Patch0:         CVE-2024-25885.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
@@ -36,7 +35,7 @@ Requires:       python-html5lib >= 1.1
 Requires:       python-pyHanko >= 0.12.1
 Requires:       python-pyhanko-certvalidator >= 0.19.5
 Requires:       python-pypdf >= 3.1.0
-Requires:       python-python-bidi >= 0.4.2
+Requires:       python-python-bidi >= 0.5.0
 Requires:       python-reportlab >= 4.0.4
 Requires:       python-svglib >= 1.2.1
 Requires(post): update-alternatives
@@ -51,7 +50,7 @@ BuildRequires:  %{python_module pyHanko >= 0.12.1}
 BuildRequires:  %{python_module pyhanko-certvalidator >= 0.19.5}
 BuildRequires:  %{python_module pypdf >= 3.1.0}
 BuildRequires:  %{python_module pytest}
-BuildRequires:  %{python_module python-bidi >= 0.4.2}
+BuildRequires:  %{python_module python-bidi >= 0.5.0}
 BuildRequires:  %{python_module reportlab >= 4.0.4}
 BuildRequires:  %{python_module svglib >= 1.2.1}
 # /SECTION

xhtml2pdf-0.2.16.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c031b662d3f999e18f384e8d606be84a8a1e516d8380a87b3bd9fd2446a1e754
-size 6960611

xhtml2pdf-0.2.17.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0fd0d73a3c4c7162f6cf1f4cf067d45e1c354a0acd6bf63ec4def7b7a9906a67
+size 6964194