Accepting request 1231846 from home:mcalabkova:branches:devel:languages:python

- Add CVE-2024-25885.patch (bsc#1231408, CVE-2024-25885) OBS-URL: https://build.opensuse.org/request/show/1231846 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-xhtml2pdf?expand=0&rev=25
2024-12-18 13:43:21 +00:00
parent 4337f7b6bb
commit c04385739b
3 changed files with 56 additions and 0 deletions
--- a/CVE-2024-25885.patch
+++ b/CVE-2024-25885.patch
@@ -0,0 +1,49 @@
+From de0fdbdf4224f3277419c2080ca0fd35fd5948a5 Mon Sep 17 00:00:00 2001
+From: David Trupiano <davetrupiano@gmail.com>
+Date: Tue, 22 Oct 2024 15:45:54 -0400
+Subject: [PATCH] fix reDOS CVE in getColor function
+
+---
+ xhtml2pdf/util.py | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/xhtml2pdf/util.py b/xhtml2pdf/util.py
+index ff4ac2a9..dafc1933 100644
+--- a/xhtml2pdf/util.py
+++ b/xhtml2pdf/util.py
+@@ -130,22 +130,31 @@ def getColor(value, default=None):
+     """
+     Convert to color value.
+     This returns a Color object instance from a text bit.
+    Mitigation for ReDoS attack applied by limiting input length and validating input.
+     """
+     if value is None:
+         return None
+     if isinstance(value, Color):
+         return value
+     value = str(value).strip().lower()
+
+    # Limit the length of the value to prevent excessive input causing ReDoS
+    if len(value) > 100:  # Set a reasonable length limit to avoid extreme inputs
+        return default
+
+     if value in {"transparent", "none"}:
+         return default
+     if value in COLOR_BY_NAME:
+         return COLOR_BY_NAME[value]
+     if value.startswith("#") and len(value) == 4:
+         value = "#" + value[1] + value[1] + value[2] + value[2] + value[3] + value[3]
+-    elif rgb_re.search(value):
+-        # e.g., value = "<css function: rgb(153, 51, 153)>", go figure:
+-        r, g, b = (int(x) for x in rgb_re.search(value).groups())
+-        value = f"#{r:02x}{g:02x}{b:02x}"
+    elif rgb_re.match(value):
+        # Use match instead of search to ensure proper regex usage and limit to valid patterns
+        try:
+            r, g, b = (int(x) for x in rgb_re.match(value).groups())
+            value = f"#{r:02x}{g:02x}{b:02x}"
+        except ValueError:
+            pass
+     else:
+         # Shrug
+         pass
--- a/python-xhtml2pdf.changes
+++ b/python-xhtml2pdf.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Dec 18 10:01:41 UTC 2024 - Markéta Machová <mmachova@suse.com>
+
+- Add CVE-2024-25885.patch (bsc#1231408, CVE-2024-25885)
+
 -------------------------------------------------------------------
 Tue Sep 17 02:41:49 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>

--- a/python-xhtml2pdf.spec
+++ b/python-xhtml2pdf.spec
@@ -23,6 +23,8 @@ Summary:        PDF Generator Using HTML and CSS
 License:        Apache-2.0
 URL:            https://github.com/xhtml2pdf/xhtml2pdf
 Source:         https://github.com/xhtml2pdf/xhtml2pdf/archive/refs/tags/v%{version}.tar.gz#/xhtml2pdf-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM https://github.com/xhtml2pdf/xhtml2pdf/pull/784 fix reDOS CVE in getColor function
+Patch0:         CVE-2024-25885.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}