- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!

- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=374
2023-08-11 18:04:06 +00:00 · 2023-08-11 18:04:06 +00:00 · 4a7548ec68
commit 4a7548ec68
parent 8e5f3115ae
7 changed files with 158 additions and 0 deletions
--- a/Revert-gh105127-left-tests.patch
+++ b/Revert-gh105127-left-tests.patch
@ -0,0 +1,122 @@
+From 4288c623d62cf90d8e4444facb3379fb06d01140 Mon Sep 17 00:00:00 2001
+From: "Gregory P. Smith" <greg@krypto.org>
+Date: Thu, 20 Jul 2023 20:30:52 -0700
+Subject: [PATCH] [3.12] gh-106669: Revert "gh-102988: Detect email address
+ parsing errors ... (GH-105127)" (GH-106733)
+
+This reverts commit 18dfbd035775c15533d13a98e56b1d2bf5c65f00.
+Adds a regression test from the issue.
+
+See https://github.com/python/cpython/issues/106669..
+(cherry picked from commit a31dea1feb61793e48fa9aa5014f358352205c1d)
+
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Doc/library/email.utils.rst                                              |   24 ----------
+ Lib/email/test/test_email.py                                             |   17 +++++++
+ Lib/email/utils.py                                                       |   15 +-----
+ Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst |    5 ++
+ 4 files changed, 25 insertions(+), 36 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
+
+--- a/Doc/library/email.utils.rst
+++ b/Doc/library/email.utils.rst
+@@ -63,11 +63,6 @@ There are several useful utilities provi
+    :func:`time.mktime`; otherwise ``None`` will be returned.  Note that indexes 6,
+    7, and 8 of the result tuple are not usable.
+ 
+-   .. versionchanged:: 3.12
+-      For security reasons, addresses that were ambiguous and could parse into
+-      multiple different addresses now cause ``('', '')`` to be returned
+-      instead of only one of the *potential* addresses.
+-
+ 
+ .. function:: parsedate_tz(date)
+ 
+@@ -108,25 +103,6 @@ There are several useful utilities provi
+ 
+    .. versionadded:: 2.4
+ 
+-   When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
+-   is returned in its place.  Other errors in parsing the list of
+-   addresses such as a fieldvalue seemingly parsing into multiple
+-   addresses may result in a list containing a single empty 2-tuple
+-   ``[('', '')]`` being returned rather than returning potentially
+-   invalid output.
+-
+-   Example malformed input parsing:
+-
+-   .. doctest::
+-
+-      >>> from email.utils import getaddresses
+-      >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
+-      [('', '')]
+-
+-   .. versionchanged:: 3.12
+-      The 2-tuple of ``('', '')`` in the returned values when parsing
+-      fails were added as to address a security issue.
+-
+ 
+ .. function:: make_msgid([idstring])
+ 
+--- a/Lib/email/test/test_email.py
+++ b/Lib/email/test/test_email.py
+@@ -2414,6 +2414,23 @@ Foo
+            [('Al Person', 'aperson@dom.ain'),
+             ('Bud Person', 'bperson@dom.ain')])
+ 
+    def test_getaddresses_comma_in_name(self):
+        """GH-106669 regression test."""
+        self.assertEqual(
+            utils.getaddresses(
+                [
+                    '"Bud, Person" <bperson@dom.ain>',
+                    'aperson@dom.ain (Al Person)',
+                    '"Mariusz Felisiak" <to@example.com>',
+                ]
+            ),
+            [
+                ('Bud, Person', 'bperson@dom.ain'),
+                ('Al Person', 'aperson@dom.ain'),
+                ('Mariusz Felisiak', 'to@example.com'),
+            ],
+        )
+
+     def test_getaddresses_nasty(self):
+         eq = self.assertEqual
+         eq(Utils.getaddresses(['foo: ;']), [('', '')])
+--- a/Lib/email/utils.py
+++ b/Lib/email/utils.py
+@@ -262,18 +262,9 @@ def parseaddr(addr):
+     Return a tuple of realname and email address, unless the parse fails, in
+     which case return a 2-tuple of ('', '').
+     """
+-    if isinstance(addr, list):
+-        addr = addr[0]
+-
+-    if not isinstance(addr, str):
+-        return ('', '')
+-
+-    addr = _pre_parse_validation([addr])[0]
+-    addrs = _post_parse_validation(_AddressList(addr).addresslist)
+-
+-    if not addrs or len(addrs) > 1:
+-        return ('', '')
+-
+    addrs = _AddressList(addr).addresslist
+    if not addrs:
+        return '', ''
+     return addrs[0]
+ 
+ 
+--- a/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
+@@ -1,3 +1,8 @@
+Reverted the :mod:`email.utils` security improvement change released in
+3.12beta4 that unintentionally caused :mod:`email.utils.getaddresses` to fail
+to parse email addresses with a comma in the quoted name field.
+See :gh:`106669`.
+
+ CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
+ and :func:`email.utils.getaddresses` from returning the realname portion of an
+ invalid RFC2822 email header in the email address portion of the 2-tuple
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug  3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
+- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
+  partially reverting CVE-2023-27043-email-parsing-errors.patch,
+  because of the regression in gh#python/cpython#106669.
+
 -------------------------------------------------------------------
 Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl <mcepl@suse.com>

--- a/python-base.spec
+++ b/python-base.spec
@ -153,6 +153,9 @@ Patch76:        PygmentsBridge-trime_doctest_flags.patch
 # Detect email address parsing errors and return empty tuple to
 # indicate the parsing error (old API)
 Patch77:        CVE-2023-27043-email-parsing-errors.patch
+# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
+# Partially revert previous patch
+Patch78:        Revert-gh105127-left-tests.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -306,6 +309,7 @@ other applications.
 %patch75 -p1
 %patch76 -p1
 %patch77 -p1
+%patch78 -p1

 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
--- a/python-doc.changes
+++ b/python-doc.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug  3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
+- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
+  partially reverting CVE-2023-27043-email-parsing-errors.patch,
+  because of the regression in gh#python/cpython#106669.
+
 -------------------------------------------------------------------
 Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl <mcepl@suse.com>

--- a/python-doc.spec
+++ b/python-doc.spec
@ -152,6 +152,9 @@ Patch76:        PygmentsBridge-trime_doctest_flags.patch
 # Detect email address parsing errors and return empty tuple to
 # indicate the parsing error (old API)
 Patch77:        CVE-2023-27043-email-parsing-errors.patch
+# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
+# Partially revert previous patch
+Patch78:        Revert-gh105127-left-tests.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@ -240,6 +243,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch75 -p1
 %patch76 -p1
 %patch77 -p1
+%patch78 -p1

 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
--- a/python.changes
+++ b/python.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug  3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
+- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
+  partially reverting CVE-2023-27043-email-parsing-errors.patch,
+  because of the regression in gh#python/cpython#106669.
+
 -------------------------------------------------------------------
 Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl <mcepl@suse.com>

--- a/python.spec
+++ b/python.spec
@ -152,6 +152,9 @@ Patch76:        PygmentsBridge-trime_doctest_flags.patch
 # Detect email address parsing errors and return empty tuple to
 # indicate the parsing error (old API)
 Patch77:        CVE-2023-27043-email-parsing-errors.patch
+# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
+# Partially revert previous patch
+Patch78:        Revert-gh105127-left-tests.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -360,6 +363,7 @@ that rely on earlier non-verification behavior.
 %patch75 -p1
 %patch76 -p1
 %patch77 -p1
+%patch78 -p1

 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar