Add CVE-2025-68616.patch to fix (SSRF)

Add CVE-2025-68616.patch to fix server-side request forgery (SSRF)
vulnerability in default fetcher.

(bsc#1256936, CVE-2025-68616)

CVE-2025-68616.patch

@@ -0,0 +1,86 @@
+From 64ffeea2c2dca4377b7ec4e9e3cf5dfe1a9b6c0a Mon Sep 17 00:00:00 2001
+From: Guillaume Ayoub <guillaume@courtbouillon.org>
+Date: Wed, 31 Dec 2025 19:09:20 +0100
+Subject: [PATCH 1/2] =?UTF-8?q?Don=E2=80=99t=20allow=20redirects=20with=20?=
+ =?UTF-8?q?deprecated=20default=5Furl=5Ffetcher=20function?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a security fix.
+
+When calling default_url_fetcher in a custom URL fetcher, redirects are handled by
+Python and don’t go though the custom URL fetcher, allowing attackers to make WeasyPrint
+reach URLs forbidden by the custom URL fetcher.
+
+See CVE-2025-68616.
+---
+ weasyprint/urls.py | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+Index: weasyprint-65.1/weasyprint/urls.py
+===================================================================
+--- weasyprint-65.1.orig/weasyprint/urls.py
++++ weasyprint-65.1/weasyprint/urls.py
+@@ -10,7 +10,8 @@ import zlib
+ from gzip import GzipFile
+ from pathlib import Path
+ from urllib.parse import quote, unquote, urljoin, urlsplit
+-from urllib.request import Request, pathname2url, urlopen
++from urllib.request import Request, pathname2url, build_opener
++from urllib import request
+ 
+ from . import __version__
+ from .logger import LOGGER
+@@ -177,7 +178,8 @@ def ensure_url(string):
+     return string if url_is_absolute(string) else path2url(string)
+ 
+ 
+-def default_url_fetcher(url, timeout=10, ssl_context=None):
++def default_url_fetcher(url, timeout=10, ssl_context=None,
++                        allow_redirects=False):
+     """Fetch an external resource such as an image or stylesheet.
+ 
+     Another callable with the same signature can be given as the
+@@ -190,6 +192,8 @@ def default_url_fetcher(url, timeout=10,
+         The number of seconds before HTTP requests are dropped.
+     :param ssl.SSLContext ssl_context:
+         An SSL context used for HTTP requests.
++    :param bool allow_redirects:
++        Whether HTTP redirects must be followed.
+     :raises: An exception indicating failure, e.g. :obj:`ValueError` on
+         syntactically invalid URL.
+     :returns: A :obj:`dict` with the following keys:
+@@ -214,15 +218,29 @@ def default_url_fetcher(url, timeout=10,
+         has to be closed manually.
+ 
+     """
++
+     if UNICODE_SCHEME_RE.match(url):
+         # See https://bugs.python.org/issue34702
+         if url.startswith('file://'):
+             url = url.split('?')[0]
+ 
+         url = iri_to_uri(url)
+-        response = urlopen(
+-            Request(url, headers=HTTP_HEADERS), timeout=timeout,
+-            context=ssl_context)
++
++        # Default opener, redirects won't be followed
++        handlers = [
++            request.ProxyHandler(), request.UnknownHandler(), request.HTTPHandler(),
++            request.HTTPDefaultErrorHandler(), request.FTPHandler(),
++            request.FileHandler(), request.HTTPErrorProcessor(), request.DataHandler(),
++            request.HTTPSHandler(context=ssl_context)]
++        if allow_redirects:
++            handlers.append(request.HTTPRedirectHandler())
++
++        opener = request.OpenerDirector()
++        for handler in handlers:
++            opener.add_handler(handler)
++
++        response = opener.open(
++            Request(url, headers=HTTP_HEADERS), timeout=timeout)
+         response_info = response.info()
+         result = {
+             'redirected_url': response.geturl(),

python-weasyprint.changes

@@ -1,3 +1,108 @@
+-------------------------------------------------------------------
+Tue Jan 20 09:07:47 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2025-68616.patch to fix server-side request forgery (SSRF)
+  vulnerability in default fetcher.
+  (bsc#1256936, CVE-2025-68616, gh#Kozea/WeasyPrint@b6a14f0f3f4c)
+
+-------------------------------------------------------------------
+Tue May 20 12:11:26 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 65.1
+  * #2414: Correctly handle flex columns split between pages
+  * 1b24ad9: Include padding in outer size of item elements
+  * #2419: Set main tag as block by default
+  * #2415: Fix support of replaced block box as flex items
+  * 83da2fe0: Fix margins and padding for rtl lists
+  * #2429, #1076, #2431: Fix page groups
+- Bump cssselect2_min_version to 0.8.0
+
+-------------------------------------------------------------------
+Wed Mar  5 10:07:13 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 64.1
+  * #2368: Fix ascent and descent font values
+  * #2370: Avoid endless recursion for variables in nested functions
+  * #2275: Use correct containing block to render waiting children
+  * #2375: Ensure that we handle text-anchor only on text content elements
+  * #2090: Only create font temporary folder when adding fonts
+  * #2383: Fix grid-template-areas validation and allow uppercase
+    identifiers for grid lines
+
+-------------------------------------------------------------------
+Mon Feb 10 21:55:11 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 64.0:
+  * #2338: Allow custom RDF metadata for PDF/A and eInvoices
+  * #123, #2345: Handle small-caps synthesis
+  * #2343: Support outline-offset
+  * #2361: Support text-underline-offset and text-decoration-
+    thickness
+  * #2296: Don’t crash with tables with rounded corners split
+    between pages
+  * #2360: Fix gradients with non-RGB colors
+  * #2355, #2358: Align png emojis to the surrounding text
+  * #2353: Fix alignment of SVG text with multiple nested text-
+    anchor values
+  * #2350: Fix logging restoration in capture_logs
+  * #2341: Fix page groups
+  * #2314: Use CSS 'image-rendering' attribute for images in SVGs
+  * #2332: Fix opacity for translated SVG elements
+  * #2329: Refactor text.line_break.get_log_attrs
+  * #2325, #2326: Fix table overflow edge cases
+  * #2347, #2364: Improve rendering speed for text
+  * #2352: Add more use cases in documentation, use Furo theme
+
+-------------------------------------------------------------------
+Mon Nov 18 09:24:08 UTC 2024 - Nico Krapp <nico.krapp@suse.com>
+
+- Fix runtime requirements (bsc#1233406)
+
+-------------------------------------------------------------------
+Tue Nov  5 14:27:00 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 63.0
+  * #2252, #895: Handle page groups, with financial support from Code & Co.
+  * #1630, #2286: Support CSS Color Level 4
+  * #2192: Add PDF variant for debugging purpose
+  * #2208: Support submit inputs in PDF forms
+  * #2139: Support mask-border-* properties
+  * #1831, #2143: Support radio inputs in PDF forms
+  * #2262: Avoid integer overflows when converting units from/to doubles
+  * #2260: Avoid float collision with box establishing formatting context
+  * #2240, #2242: Handle svg tags with no size
+  * #2231, #1171, #2222, #1208: Fix several problems related to flex-direction: column
+  * #2239: Don’t fail when SVG markers are undefined references
+  * #2230, #2238: Set explicit flags when loading DLLs on Windows
+  * #2228, #1942: Store original and PDF stream images in different cache slots
+  * #2234: Apply stylesheet and other basic operations to SVG root tag
+  * #2054, #2233: Keep auto margins on flex layout boxes
+  * #1883: Don’t crash with empty list marker strings
+  * #2216: Fix vertical alignment of out-of-flow elements in tables
+  * #996, #2219: Don’t ignore absolutely positioned elements inside flex boxes
+  * #2217: Don’t crash with normal column gaps
+  * #1817: Don’t assume that lines break after spaces
+  * #1868: Don’t break rows with atomic cells
+  * #2166: Don’t display bottom border on cells in split rows
+  * 61852c4: Capture fontTools logs when subsetting fonts
+  * #2190: Don’t use a pattern when drawing backgrounds for no-repeat background images
+  * #2185: Check that Harfbuzz version is at least 4.1.0 to subset fonts
+  * #2180: Store width for all glyphs when font is not subset
+  * #2183: Respect break-inside: avoid for flex items
+  * #2055, #2058: Fix right-to-left tables with collapsed borders
+  * #2179, #1128: Handle buggy Adobe Photoshop CMYK JPEGs
+  * #2175: Don’t compress PDF metadata for PDF/A-1
+  * #2174: Fix extra width distribution for auto table layout
+  * #1155: Improve rendering speed for large colspan values
+  * #2120, #2178: Use Harfbuzz to subset fonts by default
+  * #2282, #2284: Simplify Alpine install instructions
+  * #2254: Add warning about antivirus false detection
+  * #2220: Add extra information to debug logs
+  * #2211: Fix link to samples
+  * #2195: Update cache argument documentation
+  * #2105, #2151: Use MSYS2 instead of GTK+3 for Windows
+- Update BuildRequires and Requires from pyproject.toml
+
 -------------------------------------------------------------------
 Sun Jun 30 08:16:19 UTC 2024 - Dirk Müller <dmueller@suse.com>
 

python-weasyprint.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-weasyprint
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,24 +18,26 @@
 
 %global brotli_min_version     1.0.1
 %global cffi_min_version       0.6
-%global cssselect2_min_version 0.1
+%global cssselect2_min_version 0.8.0
 %global fonttools_min_version  4.0.0
-%global html5lib_min_version   1.1
+%global tinyhtml5_min_version  2.0.0
 %global Pillow_min_version     9.1.0
-%global pypdf_min_version      0.10.0
+%global pypdf_min_version      0.11.0
 %global Pyphen_min_version     0.9.1
-%global tinycss2_min_version   1.3.0
+%global tinycss2_min_version   1.4.0
 %global zopfli_min_version     0.1.4
 
 %{?sle15_python_module_pythons}
 Name:           python-weasyprint
-Version:        62.3
+Version:        65.1
 Release:        0
 Summary:        Python module to convert web documents to PDF
 License:        BSD-3-Clause
 URL:            https://github.com/Kozea/WeasyPrint
 Source:         https://files.pythonhosted.org/packages/source/w/weasyprint/weasyprint-%{version}.tar.gz
 Source100:      python-weasyprint-rpmlintrc
+# PATCH-FIX-UPSTREAM CVE-2025-68616.patch Backported from gh#Kozea/WeasyPrint@b6a14f0f3f4c
+Patch0:         CVE-2025-68616.patch
 BuildRequires:  %{python_module base >= 3.9}
 BuildRequires:  %{python_module flit-core}
 BuildRequires:  %{python_module pip}
@@ -48,12 +50,13 @@ Requires:       libgobject-2_0-0
 Requires:       pango
 Requires:       python-Pillow >= %{Pillow_min_version}
 Requires:       python-Pyphen >= %{Pyphen_min_version}
-Requires:       python-base >= 3.7
+Requires:       python-base >= 3.9
 Requires:       python-cffi >= %{cffi_min_version}
 Requires:       python-cssselect2 >= %{cssselect2_min_version}
 Requires:       python-html5lib >= %{html5lib_min_version}
 Requires:       python-pydyf >= %{pypdf_min_version}
 Requires:       python-tinycss2 >= %{tinycss2_min_version}
+Requires:       python-tinyhtml5 >= %{tinyhtml5_min_version}
 # SECTION fonttools[woff]
 Requires:       python-FontTools >= %{fonttools_min_version}
 Requires:       python-Brotli >= %{brotli_min_version}
@@ -67,10 +70,10 @@ BuildRequires:  %{python_module Pillow >= %{Pillow_min_version}}
 BuildRequires:  %{python_module Pyphen >= %{Pyphen_min_version}}
 BuildRequires:  %{python_module cffi   >= %{cffi_min_version}}
 BuildRequires:  %{python_module cssselect2 >= %{cssselect2_min_version}}
-BuildRequires:  %{python_module html5lib >= %{html5lib_min_version}}
 BuildRequires:  %{python_module pydyf >= %{pypdf_min_version}}
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module tinycss2 >= %{tinycss2_min_version}}
+BuildRequires:  %{python_module tinyhtml5 >= %{tinyhtml5_min_version}}
 BuildRequires:  %{python_module zopfli >= %{zopfli_min_version}}
 BuildRequires:  dejavu-fonts
 BuildRequires:  gs

weasyprint-62.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8d8680d732f7fa0fcbc587692a5a5cb095c3525627066918d6e203cbf42b7fcd
-size 477181

weasyprint-65.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:120281bdbd42ffaa7d7e5cedbe3182a2cef36ea5ad97fe9f357e43be6a1e58ea
+size 499028