From bac432efeb4806790dd44b593994ad3e7274844d Mon Sep 17 00:00:00 2001
From: nkrapp <>
Date: Wed, 18 Dec 2024 19:10:52 +0000
Subject: [PATCH] Update python-xhtml2pdf to version 0.2.16 / rev 9 via SR
 1231899

https://build.opensuse.org/request/show/1231899
by user nkrapp + anag+factory
---
 packages/p/python-xhtml2pdf/.files            | Bin 193 -> 251 bytes
 packages/p/python-xhtml2pdf/.rev              |   8 +++
 .../p/python-xhtml2pdf/CVE-2024-25885.patch   |  49 ++++++++++++++++++
 .../python-xhtml2pdf/python-xhtml2pdf.changes |   5 ++
 .../p/python-xhtml2pdf/python-xhtml2pdf.spec  |   2 +
 5 files changed, 64 insertions(+)
 create mode 100644 packages/p/python-xhtml2pdf/CVE-2024-25885.patch

diff --git a/packages/p/python-xhtml2pdf/.files b/packages/p/python-xhtml2pdf/.files
index 4e7a8d31521bb15b3801e7f016867c24db641d79..d0474f4d4daaaa40a55364c6cfa84a6214e339a4 100644
GIT binary patch
delta 149
zcmWN}F%H5o3;@7Zz>=ATEguMSQrmTA#21i|SYjtt$4c!-`Xt`PLZzGU+yDBotQ%b1
zsq4D4^P<evv`%mU8iXv50#*weD&Ri9Kh7)Dpt&%Qn4?NGp*W>v#xNR*9@q8pdWHlE
iLn0BnFJ-gYc`QvDa?wh4K;tOH(ps@hS#pYdxcvbtpe95B

delta 112
zcmWN{yA8rH5CBj|5siELED&_(i$58K@?xLmA^}Tw5yoI7=AwaDzwhuFN^Ko3dQ?h{
zdZLw`l@Q3o24-Vn$_dc}W5i7PzpnMw%kwdxr60SgDc@R^s3(NT4woo_I5+|FYx0&C
LF_wXnyyyE5o}V8Z

diff --git a/packages/p/python-xhtml2pdf/.rev b/packages/p/python-xhtml2pdf/.rev
index 9df16de7cdd..28ec860970a 100644
--- a/packages/p/python-xhtml2pdf/.rev
+++ b/packages/p/python-xhtml2pdf/.rev
@@ -94,4 +94,12 @@
 - No more greedy globs in %files.</comment>
     <requestid>1201491</requestid>
   </revision>
+  <revision rev="9" vrev="2">
+    <srcmd5>38b4b6c1252e11b390571fc0c46e0edd</srcmd5>
+    <version>0.2.16</version>
+    <time>1734549050</time>
+    <user>anag+factory</user>
+    <comment></comment>
+    <requestid>1231899</requestid>
+  </revision>
 </revisionlist>
diff --git a/packages/p/python-xhtml2pdf/CVE-2024-25885.patch b/packages/p/python-xhtml2pdf/CVE-2024-25885.patch
new file mode 100644
index 00000000000..23aa8515c90
--- /dev/null
+++ b/packages/p/python-xhtml2pdf/CVE-2024-25885.patch
@@ -0,0 +1,49 @@
+From de0fdbdf4224f3277419c2080ca0fd35fd5948a5 Mon Sep 17 00:00:00 2001
+From: David Trupiano <davetrupiano@gmail.com>
+Date: Tue, 22 Oct 2024 15:45:54 -0400
+Subject: [PATCH] fix reDOS CVE in getColor function
+
+---
+ xhtml2pdf/util.py | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/xhtml2pdf/util.py b/xhtml2pdf/util.py
+index ff4ac2a9..dafc1933 100644
+--- a/xhtml2pdf/util.py
++++ b/xhtml2pdf/util.py
+@@ -130,22 +130,31 @@ def getColor(value, default=None):
+     """
+     Convert to color value.
+     This returns a Color object instance from a text bit.
++    Mitigation for ReDoS attack applied by limiting input length and validating input.
+     """
+     if value is None:
+         return None
+     if isinstance(value, Color):
+         return value
+     value = str(value).strip().lower()
++
++    # Limit the length of the value to prevent excessive input causing ReDoS
++    if len(value) > 100:  # Set a reasonable length limit to avoid extreme inputs
++        return default
++
+     if value in {"transparent", "none"}:
+         return default
+     if value in COLOR_BY_NAME:
+         return COLOR_BY_NAME[value]
+     if value.startswith("#") and len(value) == 4:
+         value = "#" + value[1] + value[1] + value[2] + value[2] + value[3] + value[3]
+-    elif rgb_re.search(value):
+-        # e.g., value = "<css function: rgb(153, 51, 153)>", go figure:
+-        r, g, b = (int(x) for x in rgb_re.search(value).groups())
+-        value = f"#{r:02x}{g:02x}{b:02x}"
++    elif rgb_re.match(value):
++        # Use match instead of search to ensure proper regex usage and limit to valid patterns
++        try:
++            r, g, b = (int(x) for x in rgb_re.match(value).groups())
++            value = f"#{r:02x}{g:02x}{b:02x}"
++        except ValueError:
++            pass
+     else:
+         # Shrug
+         pass
diff --git a/packages/p/python-xhtml2pdf/python-xhtml2pdf.changes b/packages/p/python-xhtml2pdf/python-xhtml2pdf.changes
index 88c6b1c3400..ab33a1c8d26 100644
--- a/packages/p/python-xhtml2pdf/python-xhtml2pdf.changes
+++ b/packages/p/python-xhtml2pdf/python-xhtml2pdf.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Dec 18 10:01:41 UTC 2024 - Markéta Machová <mmachova@suse.com>
+
+- Add CVE-2024-25885.patch (bsc#1231408, CVE-2024-25885)
+
 -------------------------------------------------------------------
 Tue Sep 17 02:41:49 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
 
diff --git a/packages/p/python-xhtml2pdf/python-xhtml2pdf.spec b/packages/p/python-xhtml2pdf/python-xhtml2pdf.spec
index e4fe1575cbc..a4b60100bf1 100644
--- a/packages/p/python-xhtml2pdf/python-xhtml2pdf.spec
+++ b/packages/p/python-xhtml2pdf/python-xhtml2pdf.spec
@@ -23,6 +23,8 @@ Summary:        PDF Generator Using HTML and CSS
 License:        Apache-2.0
 URL:            https://github.com/xhtml2pdf/xhtml2pdf
 Source:         https://github.com/xhtml2pdf/xhtml2pdf/archive/refs/tags/v%{version}.tar.gz#/xhtml2pdf-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM https://github.com/xhtml2pdf/xhtml2pdf/pull/784 fix reDOS CVE in getColor function
+Patch0:         CVE-2024-25885.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}