Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-deepdiff for openSUSE:Factory
checked in at 2026-03-24 18:49:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-deepdiff (Old)
and /work/SRC/openSUSE:Factory/.python-deepdiff.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-deepdiff"
Tue Mar 24 18:49:46 2026 rev:19 rq:1342180 version:8.6.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-deepdiff/python-deepdiff.changes
2025-09-09 20:31:16.123814647 +0200
+++
/work/SRC/openSUSE:Factory/.python-deepdiff.new.8177/python-deepdiff.changes
2026-03-24 18:50:43.691059000 +0100
@@ -1,0 +2,11 @@
+Tue Mar 24 07:47:42 UTC 2026 - Daniel Garcia <[email protected]>
+
+- Update to 8.6.2 (bsc#1260064, CVE-2026-33155):
+ * Security fix (CVE-2026-33155): Prevent denial-of-service via
+ crafted pickle payloads that trigger massive memory allocation
+ through the REDUCE opcode. Size-sensitive callables like bytes()
+ and bytearray() are now wrapped to reject allocations exceeding
+ 128 MB.
+- Use libalternatives instead of update-alternatives
+
+-------------------------------------------------------------------
Old:
----
deepdiff-8.6.1-gh.tar.gz
New:
----
deepdiff-8.6.2-gh.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-deepdiff.spec ++++++
--- /var/tmp/diff_new_pack.AWyrtF/_old 2026-03-24 18:50:44.223080952 +0100
+++ /var/tmp/diff_new_pack.AWyrtF/_new 2026-03-24 18:50:44.227081117 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-deepdiff
#
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,14 +16,24 @@
#
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
+
+# No tag for last release, so we need to pick from the repository by
+# commit id.
+%define commit 0d07ec21d12b46ef4e489383b363eadc22d990fb
+
%{?sle15_python_module_pythons}
Name: python-deepdiff
-Version: 8.6.1
+Version: 8.6.2
Release: 0
Summary: Deep Difference and Search of any Python object/data
License: MIT
URL: https://github.com/seperman/deepdiff
-Source:
https://github.com/seperman/deepdiff/archive/%{version}.tar.gz#/deepdiff-%{version}-gh.tar.gz
+Source:
https://github.com/seperman/deepdiff/archive/%{commit}.tar.gz#/deepdiff-%{version}-gh.tar.gz
BuildRequires: %{python_module PyYAML}
BuildRequires: %{python_module click}
BuildRequires: %{python_module flit-core}
@@ -45,10 +55,19 @@
BuildRequires: fdupes
BuildRequires: python-rpm-macros
Requires: python-orderly-set >= 5.4.1
+
+%if %{with libalternatives}
+Requires: alts
+BuildRequires: alts
+%else
Requires(post): update-alternatives
Requires(postun): update-alternatives
-Recommends: python-PyYAML
-Recommends: python-click
+%endif
+
+# Required for cli tool
+Requires: python-PyYAML
+Requires: python-click
+
Recommends: python-jsonpickle
Recommends: python-numpy
Recommends: python-orjson
@@ -63,8 +82,9 @@
within other objects, and hash any object based on their content.
%prep
-%autosetup -p1 -n deepdiff-%{version}
+%autosetup -p1 -n deepdiff-%{commit}
sed -i '1{/env python/d}' deepdiff/deephash.py deepdiff/diff.py
deepdiff/search.py
+chmod -x deepdiff/diff.py
%build
%pyproject_wheel
@@ -81,6 +101,10 @@
donttest+=" or (TestCommands and test_diff_command and t1_corrupt)"
%pytest -k "not ($donttest)"
+%pre
+# removing old update-alternatives entries
+%python_libalternatives_reset_alternative deep
+
%post
%python_install_alternative deep
++++++ deepdiff-8.6.1-gh.tar.gz -> deepdiff-8.6.2-gh.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/.bumpversion.cfg
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/.bumpversion.cfg
--- old/deepdiff-8.6.1/.bumpversion.cfg 2025-09-03 21:38:30.000000000 +0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/.bumpversion.cfg
2026-03-18 18:26:35.000000000 +0100
@@ -1,5 +1,5 @@
[bumpversion]
-current_version = 8.6.1
+current_version = 8.6.2
commit = True
tag = True
tag_name = {new_version}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/AUTHORS.md
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/AUTHORS.md
--- old/deepdiff-8.6.1/AUTHORS.md 2025-09-03 21:38:30.000000000 +0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/AUTHORS.md
2026-03-18 18:26:35.000000000 +0100
@@ -76,3 +76,4 @@
- [Jim Cipar](https://github.com/jcipar) for the fix recursion depth limit
when hashing numpy.datetime64
- [Enji Cooper](https://github.com/ngie-eign) for converting legacy setuptools
use to pyproject.toml
- [Diogo Correia](https://github.com/diogotcorreia) for reporting security
vulnerability in Delta and DeepDiff that could allow remote code execution.
+- [am-periphery](https://github.com/am-periphery) for reporting
CVE-2026-33155: denial-of-service via crafted pickle payloads triggering
massive memory allocation.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/CHANGELOG.md
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/CHANGELOG.md
--- old/deepdiff-8.6.1/CHANGELOG.md 2025-09-03 21:38:30.000000000 +0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/CHANGELOG.md
2026-03-18 18:26:35.000000000 +0100
@@ -1,5 +1,8 @@
# DeepDiff Change log
+- v8-6-2
+ - Security fix (CVE-2026-33155): Prevent denial-of-service via crafted
pickle payloads that trigger massive memory allocation through the REDUCE
opcode. Size-sensitive callables like `bytes()` and `bytearray()` are now
wrapped to reject allocations exceeding 128 MB.
+
- v8-6-1
- Patched security vulnerability in the Delta class which was vulnerable
to class pollution via its constructor, and when combined with a gadget
available in DeltaDiff itself, it could lead to Denial of Service and Remote
Code Execution (via insecure Pickle deserialization).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/CITATION.cff
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/CITATION.cff
--- old/deepdiff-8.6.1/CITATION.cff 2025-09-03 21:38:30.000000000 +0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/CITATION.cff
2026-03-18 18:26:35.000000000 +0100
@@ -5,6 +5,6 @@
given-names: "Sep"
orcid: "https://orcid.org/0009-0009-5828-4345";
title: "DeepDiff"
-version: 8.6.1
+version: 8.6.2
date-released: 2024
url: "https://github.com/seperman/deepdiff";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/README.md
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/README.md
--- old/deepdiff-8.6.1/README.md 2025-09-03 21:38:30.000000000 +0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/README.md
2026-03-18 18:26:35.000000000 +0100
@@ -1,4 +1,4 @@
-# DeepDiff v 8.6.1
+# DeepDiff v 8.6.2
@@ -17,12 +17,15 @@
Tested on Python 3.9+ and PyPy3.
-- **[Documentation](https://zepworks.com/deepdiff/8.6.1/)**
+- **[Documentation](https://zepworks.com/deepdiff/8.6.2/)**
## What is new?
Please check the [ChangeLog](CHANGELOG.md) file for the detailed information.
+DeepDiff 8-6-2
+- **Security (CVE-2026-33155):** Fixed a memory exhaustion DoS vulnerability
in `_RestrictedUnpickler` by limiting the maximum allocation size for `bytes`
and `bytearray` during deserialization.
+
DeepDiff 8-6-1
- Patched security vulnerability in the Delta class which was vulnerable to
class pollution via its constructor, and when combined with a gadget available
in DeltaDiff itself, it could lead to Denial of Service and Remote Code
Execution (via insecure Pickle deserialization).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/deepdiff/__init__.py
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/deepdiff/__init__.py
--- old/deepdiff-8.6.1/deepdiff/__init__.py 2025-09-03 21:38:30.000000000
+0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/deepdiff/__init__.py
2026-03-18 18:26:35.000000000 +0100
@@ -1,6 +1,6 @@
"""This module offers the DeepDiff, DeepSearch, grep, Delta and DeepHash
classes."""
# flake8: noqa
-__version__ = '8.6.1'
+__version__ = '8.6.2'
import logging
if __name__ == '__main__':
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/deepdiff/serialization.py
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/deepdiff/serialization.py
--- old/deepdiff-8.6.1/deepdiff/serialization.py 2025-09-03
21:38:30.000000000 +0200
+++
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/deepdiff/serialization.py
2026-03-18 18:26:35.000000000 +0100
@@ -331,6 +331,35 @@
return "\n".join(f"{prefix}{r}" for r in result)
+# Maximum size allowed for integer arguments to constructors that allocate
+# memory proportional to the argument (e.g. bytes(n), bytearray(n)).
+# This prevents denial-of-service via crafted pickle payloads. (CVE-2026-33155)
+_MAX_ALLOC_SIZE = 128 * 1024 * 1024 # 128 MB
+
+# Callables where an integer argument directly controls memory allocation size.
+_SIZE_SENSITIVE_CALLABLES = frozenset({bytes, bytearray})
+
+
+class _SafeConstructor:
+ """Wraps a type constructor to prevent excessive memory allocation via the
REDUCE opcode."""
+ __slots__ = ('_wrapped',)
+
+ def __init__(self, wrapped):
+ self._wrapped = wrapped
+
+ def __call__(self, *args, **kwargs):
+ for arg in args:
+ if isinstance(arg, int) and arg > _MAX_ALLOC_SIZE:
+ raise pickle.UnpicklingError(
+ "Refusing to create {}() with size {}: "
+ "exceeds the maximum allowed size of {} bytes. "
+ "This could be a denial-of-service attack payload.".format(
+ self._wrapped.__name__, arg, _MAX_ALLOC_SIZE
+ )
+ )
+ return self._wrapped(*args, **kwargs)
+
+
class _RestrictedUnpickler(pickle.Unpickler):
def __init__(self, *args, **kwargs):
@@ -355,7 +384,11 @@
module_obj = sys.modules[module]
except KeyError:
raise
ModuleNotFoundError(MODULE_NOT_FOUND_MSG.format(module_dot_class)) from None
- return getattr(module_obj, name)
+ cls = getattr(module_obj, name)
+ # Wrap size-sensitive callables to prevent DoS via large
allocations
+ if cls in _SIZE_SENSITIVE_CALLABLES:
+ return _SafeConstructor(cls)
+ return cls
# Forbid everything else.
raise ForbiddenModule(FORBIDDEN_MODULE_MSG.format(module_dot_class))
from None
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/docs/authors.rst
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/docs/authors.rst
--- old/deepdiff-8.6.1/docs/authors.rst 2025-09-03 21:38:30.000000000 +0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/docs/authors.rst
2026-03-18 18:26:35.000000000 +0100
@@ -118,6 +118,7 @@
- `Enji Cooper <https://github.com/ngie-eign>`__ for converting legacy
setuptools use to pyproject.toml
- `Diogo Correia <https://github.com/diogotcorreia>`__ for reporting security
vulnerability in Delta and DeepDiff that could allow remote code execution.
+- `am-periphery <https://github.com/am-periphery>`__ for reporting
CVE-2026-33155: denial-of-service via crafted pickle payloads triggering
massive memory allocation.
.. _Sep Dehpour (Seperman): http://www.zepworks.com
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/docs/changelog.rst
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/docs/changelog.rst
--- old/deepdiff-8.6.1/docs/changelog.rst 2025-09-03 21:38:30.000000000
+0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/docs/changelog.rst
2026-03-18 18:26:35.000000000 +0100
@@ -5,6 +5,9 @@
DeepDiff Changelog
+- v8-6-2
+ - Security fix (CVE-2026-33155): Prevent denial-of-service via crafted
pickle payloads that trigger massive memory allocation through the REDUCE
opcode. Size-sensitive callables like ``bytes()`` and ``bytearray()`` are now
wrapped to reject allocations exceeding 128 MB.
+
- v8-6-1
- Patched security vulnerability in the Delta class which was vulnerable to
class pollution via its constructor, and when combined with a gadget available
in DeltaDiff itself, it could lead to Denial of Service and Remote Code
Execution (via insecure Pickle deserialization).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/docs/conf.py
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/docs/conf.py
--- old/deepdiff-8.6.1/docs/conf.py 2025-09-03 21:38:30.000000000 +0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/docs/conf.py
2026-03-18 18:26:35.000000000 +0100
@@ -64,9 +64,9 @@
# built documents.
#
# The short X.Y version.
-version = '8.6.1'
+version = '8.6.2'
# The full version, including alpha/beta/rc tags.
-release = '8.6.1'
+release = '8.6.2'
load_dotenv(override=True)
DOC_VERSION = os.environ.get('DOC_VERSION', version)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/docs/index.rst
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/docs/index.rst
--- old/deepdiff-8.6.1/docs/index.rst 2025-09-03 21:38:30.000000000 +0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/docs/index.rst
2026-03-18 18:26:35.000000000 +0100
@@ -4,7 +4,7 @@
contain the root `toctree` directive.
-DeepDiff 8.6.1 documentation!
+DeepDiff 8.6.2 documentation!
=============================
*******
@@ -31,6 +31,11 @@
What Is New
***********
+DeepDiff 8-6-2
+--------------
+
+ - Security fix (CVE-2026-33155): Prevent denial-of-service via crafted
pickle payloads that trigger massive memory allocation through the REDUCE
opcode. Size-sensitive callables like ``bytes()`` and ``bytearray()`` are now
wrapped to reject allocations exceeding 128 MB.
+
DeepDiff 8-6-1
--------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/pyproject.toml
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/pyproject.toml
--- old/deepdiff-8.6.1/pyproject.toml 2025-09-03 21:38:30.000000000 +0200
+++ new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/pyproject.toml
2026-03-18 18:26:35.000000000 +0100
@@ -4,7 +4,7 @@
[project]
name = "deepdiff"
-version = "8.6.1"
+version = "8.6.2"
dependencies = [
"orderly-set>=5.4.1,<6",
]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/deepdiff-8.6.1/tests/test_serialization.py
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/tests/test_serialization.py
--- old/deepdiff-8.6.1/tests/test_serialization.py 2025-09-03
21:38:30.000000000 +0200
+++
new/deepdiff-0d07ec21d12b46ef4e489383b363eadc22d990fb/tests/test_serialization.py
2026-03-18 18:26:35.000000000 +0100
@@ -155,6 +155,58 @@
load_path_content(path)
+class TestPicklingSecurity:
+
+ @pytest.mark.skipif(sys.platform == "win32", reason="Resource module is
Unix-only")
+ def test_restricted_unpickler_memory_exhaustion_cve(self):
+ """CVE-2026-33155: Prevent DoS via massive allocation through REDUCE
opcode.
+
+ The payload calls bytes(10_000_000_000) which is allowed by find_class
+ but would allocate ~9.3GB of memory. The fix should reject this before
+ the allocation happens.
+ """
+ import resource
+
+ # 1. Cap memory to 500MB to prevent system freezes during the test
+ soft, hard = resource.getrlimit(resource.RLIMIT_AS)
+ maxsize_bytes = 500 * 1024 * 1024
+ resource.setrlimit(resource.RLIMIT_AS, (maxsize_bytes, hard))
+
+ try:
+ # 2. Malicious payload: attempts to allocate ~9.3GB via
bytes(10000000000)
+ # This uses allowed builtins but passes a massive integer via
REDUCE
+ payload = (
+ b"(dp0\n"
+ b"S'_'\n"
+ b"cbuiltins\nbytes\n"
+ b"(I10000000000\n"
+ b"tR"
+ b"s."
+ )
+
+ # 3. After the patch, deepdiff should catch the size violation
+ # and raise UnpicklingError before attempting allocation.
+ with pytest.raises((ValueError, UnpicklingError)):
+ pickle_load(payload)
+ finally:
+ # Restore original memory limit so other tests are not affected
+ resource.setrlimit(resource.RLIMIT_AS, (soft, hard))
+
+ def test_restricted_unpickler_allows_small_bytes(self):
+ """Ensure legitimate small bytes objects can still be deserialized."""
+ # Payload: {'_': bytes(100)} — well within the 128MB limit
+ payload = (
+ b"(dp0\n"
+ b"S'_'\n"
+ b"cbuiltins\nbytes\n"
+ b"(I100\n"
+ b"tR"
+ b"s."
+ )
+ result = pickle_load(payload)
+ assert result == {'_': bytes(100)}
+
+
class TestPickling:
def test_serialize(self):
