Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-orjson for openSUSE:Factory checked in at 2026-01-27 16:06:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-orjson (Old) and /work/SRC/openSUSE:Factory/.python-orjson.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-orjson" Tue Jan 27 16:06:57 2026 rev:14 rq:1329172 version:3.11.5 Changes: -------- --- /work/SRC/openSUSE:Factory/python-orjson/python-orjson.changes 2025-11-21 16:53:54.543358521 +0100 +++ /work/SRC/openSUSE:Factory/.python-orjson.new.1928/python-orjson.changes 2026-01-27 16:07:12.137231356 +0100 @@ -1,0 +2,13 @@ +Mon Jan 26 08:45:25 UTC 2026 - Daniel Garcia <[email protected]> + +- Add CVE-2025-67221.patch to fix write outsize of allocated memory + on json dump (bsc#1257121, gh#ijl/orjson#637) + +------------------------------------------------------------------- +Fri Jan 23 10:22:26 UTC 2026 - Daniel Garcia <[email protected]> + +- Update to 3.11.5 (bsc#1257121, CVE-2025-67221): + * Show simple error message instead of traceback when attempting to + build on unsupported Python versions. + +------------------------------------------------------------------- Old: ---- orjson-3.11.4-devendored.tar.xz orjson-3.11.4.tar.gz New: ---- CVE-2025-67221.patch orjson-3.11.5-devendored.tar.xz orjson-3.11.5.tar.gz ----------(New B)---------- New: - Add CVE-2025-67221.patch to fix write outsize of allocated memory on json dump (bsc#1257121, gh#ijl/orjson#637) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-orjson.spec ++++++ --- /var/tmp/diff_new_pack.Ytk2cq/_old 2026-01-27 16:07:14.969350792 +0100 +++ /var/tmp/diff_new_pack.Ytk2cq/_new 2026-01-27 16:07:14.973350960 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-orjson # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-orjson -Version: 3.11.4 +Version: 3.11.5 Release: 0 Summary: Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy License: Apache-2.0 OR MIT @@ -29,6 +29,8 @@ Source2: https://files.pythonhosted.org/packages/source/o/orjson/orjson-%{version}.tar.gz Source3: devendor-sdist.sh Source4: PACKAGING_README.md +# PATCH-FIX-OPENSUSE CVE-2025-67221.patch gh#ijl/orjson#637 +Patch0: CVE-2025-67221.patch BuildRequires: %{python_module base >= 3.9} BuildRequires: %{python_module maturin >= 1.9.2} BuildRequires: %{python_module pip} @@ -53,7 +55,7 @@ It benchmarks as the fastest Python library for JSON. %prep -%autosetup -a1 -n orjson-%{version} +%autosetup -p1 -a1 -n orjson-%{version} %build %pyproject_wheel ++++++ CVE-2025-67221.patch ++++++ >From e959d90ac722022b781b19f86e6ea9adaba8e383 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Moreno <[email protected]> Date: Fri, 23 Jan 2026 20:22:23 +0100 Subject: [PATCH] formatter: reserve_minimum in end_ methods In highly nested json objects it's possible to have a lot of consecutive closing characters that are added by end_array and end_object. These methods adds one byte without checking the buffer capacity, so it's possible to try to write when there's no capacity. This patch makes sure that the buffer has at least minimum space before writing. This is the upstream commit that removes this check: c369ea44820e2e0798f17f99a0dff65bec2186a9 ``` $ git log -p c369ea44820e2e0798f17f99a0dff65bec2186a9 -- src/serialize/writer/formatter.rs ``` Fix https://github.com/ijl/orjson/issues/636 --- src/serialize/writer/formatter.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: orjson-3.11.5/src/serialize/writer/formatter.rs =================================================================== --- orjson-3.11.5.orig/src/serialize/writer/formatter.rs +++ orjson-3.11.5/src/serialize/writer/formatter.rs @@ -131,7 +131,7 @@ pub(crate) trait Formatter { where W: ?Sized + WriteExt + bytes::BufMut, { - debug_assert_has_capacity!(writer); + reserve_minimum!(writer); unsafe { writer.put_u8(b']'); } @@ -175,7 +175,7 @@ pub(crate) trait Formatter { where W: ?Sized + WriteExt + bytes::BufMut, { - debug_assert_has_capacity!(writer); + reserve_minimum!(writer); unsafe { writer.put_u8(b'}'); } ++++++ orjson-3.11.4-devendored.tar.xz -> orjson-3.11.5-devendored.tar.xz ++++++ ++++ 2728 lines of diff (skipped) ++++++ orjson-3.11.4.tar.gz -> orjson-3.11.5.tar.gz ++++++ ++++ 841021 lines of diff (skipped) ++++++ vendor.tar.xz ++++++ ++++ 977606 lines of diff (skipped)
