Update python-xhtml2pdf to version 0.2.16 / rev 9 via SR 1231899

https://build.opensuse.org/request/show/1231899 by user nkrapp + anag+factory
bmwiedemann · Dec 18, 2024 · bac432e · bac432e
1 parent 0cb4518
commit bac432e
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 0 deletions.
diff --git a/packages/p/python-xhtml2pdf/.files b/packages/p/python-xhtml2pdf/.files
diff --git a/packages/p/python-xhtml2pdf/.rev b/packages/p/python-xhtml2pdf/.rev
@@ -94,4 +94,12 @@
 - No more greedy globs in %files.</comment>
     <requestid>1201491</requestid>
   </revision>
+  <revision rev="9" vrev="2">
+    <srcmd5>38b4b6c1252e11b390571fc0c46e0edd</srcmd5>
+    <version>0.2.16</version>
+    <time>1734549050</time>
+    <user>anag+factory</user>
+    <comment></comment>
+    <requestid>1231899</requestid>
+  </revision>
 </revisionlist>
diff --git a/packages/p/python-xhtml2pdf/CVE-2024-25885.patch b/packages/p/python-xhtml2pdf/CVE-2024-25885.patch
@@ -0,0 +1,49 @@
+From de0fdbdf4224f3277419c2080ca0fd35fd5948a5 Mon Sep 17 00:00:00 2001
+From: David Trupiano <[email protected]>
+Date: Tue, 22 Oct 2024 15:45:54 -0400
+Subject: [PATCH] fix reDOS CVE in getColor function
+
+---
+ xhtml2pdf/util.py | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/xhtml2pdf/util.py b/xhtml2pdf/util.py
+index ff4ac2a9..dafc1933 100644
+--- a/xhtml2pdf/util.py
++++ b/xhtml2pdf/util.py
+@@ -130,22 +130,31 @@ def getColor(value, default=None):
+     """
+     Convert to color value.
+     This returns a Color object instance from a text bit.
++    Mitigation for ReDoS attack applied by limiting input length and validating input.
+     """
+     if value is None:
+         return None
+     if isinstance(value, Color):
+         return value
+     value = str(value).strip().lower()
++
++    # Limit the length of the value to prevent excessive input causing ReDoS
++    if len(value) > 100:  # Set a reasonable length limit to avoid extreme inputs
++        return default
++
+     if value in {"transparent", "none"}:
+         return default
+     if value in COLOR_BY_NAME:
+         return COLOR_BY_NAME[value]
+     if value.startswith("#") and len(value) == 4:
+         value = "#" + value[1] + value[1] + value[2] + value[2] + value[3] + value[3]
+-    elif rgb_re.search(value):
+-        # e.g., value = "<css function: rgb(153, 51, 153)>", go figure:
+-        r, g, b = (int(x) for x in rgb_re.search(value).groups())
+-        value = f"#{r:02x}{g:02x}{b:02x}"
++    elif rgb_re.match(value):
++        # Use match instead of search to ensure proper regex usage and limit to valid patterns
++        try:
++            r, g, b = (int(x) for x in rgb_re.match(value).groups())
++            value = f"#{r:02x}{g:02x}{b:02x}"
++        except ValueError:
++            pass
+     else:
+         # Shrug
+         pass
diff --git a/packages/p/python-xhtml2pdf/python-xhtml2pdf.changes b/packages/p/python-xhtml2pdf/python-xhtml2pdf.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Dec 18 10:01:41 UTC 2024 - Markéta Machová <[email protected]>
+
+- Add CVE-2024-25885.patch (bsc#1231408, CVE-2024-25885)
+
 -------------------------------------------------------------------
 Tue Sep 17 02:41:49 UTC 2024 - Steve Kowalik <[email protected]>
 

diff --git a/packages/p/python-xhtml2pdf/python-xhtml2pdf.spec b/packages/p/python-xhtml2pdf/python-xhtml2pdf.spec
@@ -23,6 +23,8 @@ Summary:        PDF Generator Using HTML and CSS
 License:        Apache-2.0
 URL:            https://github.com/xhtml2pdf/xhtml2pdf
 Source:         https://github.com/xhtml2pdf/xhtml2pdf/archive/refs/tags/v%{version}.tar.gz#/xhtml2pdf-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM https://github.com/xhtml2pdf/xhtml2pdf/pull/784 fix reDOS CVE in getColor function
+Patch0:         CVE-2024-25885.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}