Accepting request 1103620 from devel:languages:python:Factory

- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). OBS-URL: https://build.opensuse.org/request/show/1103620 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=186
2023-08-15 14:38:55 +00:00 · 2023-08-15 14:38:55 +00:00 · c9ea265237
commit c9ea265237
parent 1b364e03b0 95848c308a
8 changed files with 414 additions and 0 deletions
--- a/CVE-2023-27043-email-parsing-errors.patch
+++ b/CVE-2023-27043-email-parsing-errors.patch
@ -0,0 +1,137 @@
 ---
 Doc/library/email.utils.rst                                              |   24 +++
 Lib/email/utils.py                                                       |   66 +++++++++-
 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst |    4 
 3 files changed, 88 insertions(+), 6 deletions(-)
 --- a/Doc/library/email.utils.rst
 +++ b/Doc/library/email.utils.rst
@@ -63,6 +63,11 @@ There are several useful utilities provi
    :func:`time.mktime`; otherwise ``None`` will be returned.  Note that indexes 6,
    7, and 8 of the result tuple are not usable.
 +   .. versionchanged:: 3.12
 +      For security reasons, addresses that were ambiguous and could parse into
 +      multiple different addresses now cause ``('', '')`` to be returned
 +      instead of only one of the *potential* addresses.
 +
 .. function:: parsedate_tz(date)
@@ -103,6 +108,25 @@ There are several useful utilities provi
    .. versionadded:: 2.4
 +   When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
 +   is returned in its place.  Other errors in parsing the list of
 +   addresses such as a fieldvalue seemingly parsing into multiple
 +   addresses may result in a list containing a single empty 2-tuple
 +   ``[('', '')]`` being returned rather than returning potentially
 +   invalid output.
 +
 +   Example malformed input parsing:
 +
 +   .. doctest::
 +
 +      >>> from email.utils import getaddresses
 +      >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
 +      [('', '')]
 +
 +   .. versionchanged:: 3.12
 +      The 2-tuple of ``('', '')`` in the returned values when parsing
 +      fails were added as to address a security issue.
 +
 .. function:: make_msgid([idstring])
 --- a/Lib/email/utils.py
 +++ b/Lib/email/utils.py
@@ -101,11 +101,56 @@ def formataddr(pair):
 +def _pre_parse_validation(email_header_fields):
 +    accepted_values = []
 +    for v in email_header_fields:
 +        s = v.replace('\\(', '').replace('\\)', '')
 +        if s.count('(') != s.count(')'):
 +            v = "('', '')"
 +        accepted_values.append(v)
 +
 +    return accepted_values
 +
 +
 +
 +def _post_parse_validation(parsed_email_header_tuples):
 +    accepted_values = []
 +    # The parser would have parsed a correctly formatted domain-literal
 +    # The existence of an [ after parsing indicates a parsing failure
 +    for v in parsed_email_header_tuples:
 +        if '[' in v[1]:
 +            v = ('', '')
 +        accepted_values.append(v)
 +
 +    return accepted_values
 +
 +
 +
 def getaddresses(fieldvalues):
 -    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
 -    all = COMMASPACE.join(fieldvalues)
 +    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
 +
 +    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
 +    its place.
 +
 +    If the resulting list of parsed address is not the same as the number of
 +    fieldvalues in the input list a parsing error has occurred.  A list
 +    containing a single empty 2-tuple [('', '')] is returned in its place.
 +    This is done to avoid invalid output.
 +    """
 +    fieldvalues = [str(v) for v in fieldvalues]
 +    fieldvalues = _pre_parse_validation(fieldvalues)
 +    all = COMMASPACE.join(v for v in fieldvalues)
     a = _AddressList(all)
 -    return a.addresslist
 +    result = _post_parse_validation(a.addresslist)
 +
 +    n = 0
 +    for v in fieldvalues:
 +        n += v.count(',') + 1
 +
 +    if len(result) != n:
 +        return [('', '')]
 +
 +    return result
@@ -217,9 +262,18 @@ def parseaddr(addr):
     Return a tuple of realname and email address, unless the parse fails, in
     which case return a 2-tuple of ('', '').
     """
 -    addrs = _AddressList(addr).addresslist
 -    if not addrs:
 -        return '', ''
 +    if isinstance(addr, list):
 +        addr = addr[0]
 +
 +    if not isinstance(addr, str):
 +        return ('', '')
 +
 +    addr = _pre_parse_validation([addr])[0]
 +    addrs = _post_parse_validation(_AddressList(addr).addresslist)
 +
 +    if not addrs or len(addrs) > 1:
 +        return ('', '')
 +
     return addrs[0]
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -0,0 +1,4 @@
 +CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
 +and :func:`email.utils.getaddresses` from returning the realname portion of an
 +invalid RFC2822 email header in the email address portion of the 2-tuple
 +returned after being parsed by :class:`email._parseaddr.AddressList`.
--- a/Revert-gh105127-left-tests.patch
+++ b/Revert-gh105127-left-tests.patch
@ -0,0 +1,202 @@
 From 4288c623d62cf90d8e4444facb3379fb06d01140 Mon Sep 17 00:00:00 2001
 From: "Gregory P. Smith" <greg@krypto.org>
 Date: Thu, 20 Jul 2023 20:30:52 -0700
 Subject: [PATCH] [3.12] gh-106669: Revert "gh-102988: Detect email address
 parsing errors ... (GH-105127)" (GH-106733)
 This reverts commit 18dfbd035775c15533d13a98e56b1d2bf5c65f00.
 Adds a regression test from the issue.
 See https://github.com/python/cpython/issues/106669..
 (cherry picked from commit a31dea1feb61793e48fa9aa5014f358352205c1d)
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 ---
 Doc/library/email.utils.rst                                              |   24 ---
 Lib/email/test/test_email.py                                             |   18 ++
 Lib/email/test/test_email_renamed.py                                     |    4 
 Lib/email/utils.py                                                       |   66 ----------
 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst |    5 
 5 files changed, 32 insertions(+), 85 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
 --- a/Doc/library/email.utils.rst
 +++ b/Doc/library/email.utils.rst
@@ -63,11 +63,6 @@ There are several useful utilities provi
    :func:`time.mktime`; otherwise ``None`` will be returned.  Note that indexes 6,
    7, and 8 of the result tuple are not usable.
 -   .. versionchanged:: 3.12
 -      For security reasons, addresses that were ambiguous and could parse into
 -      multiple different addresses now cause ``('', '')`` to be returned
 -      instead of only one of the *potential* addresses.
 -
 .. function:: parsedate_tz(date)
@@ -108,25 +103,6 @@ There are several useful utilities provi
    .. versionadded:: 2.4
 -   When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
 -   is returned in its place.  Other errors in parsing the list of
 -   addresses such as a fieldvalue seemingly parsing into multiple
 -   addresses may result in a list containing a single empty 2-tuple
 -   ``[('', '')]`` being returned rather than returning potentially
 -   invalid output.
 -
 -   Example malformed input parsing:
 -
 -   .. doctest::
 -
 -      >>> from email.utils import getaddresses
 -      >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
 -      [('', '')]
 -
 -   .. versionchanged:: 3.12
 -      The 2-tuple of ``('', '')`` in the returned values when parsing
 -      fails were added as to address a security issue.
 -
 .. function:: make_msgid([idstring])
 --- a/Lib/email/test/test_email.py
 +++ b/Lib/email/test/test_email.py
@@ -2414,6 +2414,24 @@ Foo
            [('Al Person', 'aperson@dom.ain'),
             ('Bud Person', 'bperson@dom.ain')])
 +    def test_getaddresses_comma_in_name(self):
 +        """GH-106669 regression test."""
 +        self.assertEqual(
 +            Utils.getaddresses(
 +                [
 +                    '"Bud, Person" <bperson@dom.ain>',
 +                    'aperson@dom.ain (Al Person)',
 +                    '"Mariusz Felisiak" <to@example.com>',
 +                ]
 +            ),
 +            [
 +                ('Bud, Person', 'bperson@dom.ain'),
 +                ('Al Person', 'aperson@dom.ain'),
 +                ('Mariusz Felisiak', 'to@example.com'),
 +            ],
 +        )
 +
 +    @unittest.skip("Results are too irregular with patches for CVE-2023-27043")
     def test_getaddresses_nasty(self):
         eq = self.assertEqual
         eq(Utils.getaddresses(['foo: ;']), [('', '')])
 --- a/Lib/email/test/test_email_renamed.py
 +++ b/Lib/email/test/test_email_renamed.py
@@ -2275,12 +2275,14 @@ Foo
            [('Al Person', 'aperson@dom.ain'),
             ('Bud Person', 'bperson@dom.ain')])
 +    @unittest.skip("Results are too irregular with patches for CVE-2023-27043")
     def test_getaddresses_nasty(self):
         eq = self.assertEqual
         eq(utils.getaddresses(['foo: ;']), [('', '')])
         eq(utils.getaddresses(
            ['[]*-- =~$']),
 -           [('', ''), ('', ''), ('', '*--')])
 +           [('', ''), ('', ''), ('', '*--')]
 +        )
         eq(utils.getaddresses(
            ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
            [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
 --- a/Lib/email/utils.py
 +++ b/Lib/email/utils.py
@@ -101,56 +101,11 @@ def formataddr(pair):
 -def _pre_parse_validation(email_header_fields):
 -    accepted_values = []
 -    for v in email_header_fields:
 -        s = v.replace('\\(', '').replace('\\)', '')
 -        if s.count('(') != s.count(')'):
 -            v = "('', '')"
 -        accepted_values.append(v)
 -
 -    return accepted_values
 -
 -
 -
 -def _post_parse_validation(parsed_email_header_tuples):
 -    accepted_values = []
 -    # The parser would have parsed a correctly formatted domain-literal
 -    # The existence of an [ after parsing indicates a parsing failure
 -    for v in parsed_email_header_tuples:
 -        if '[' in v[1]:
 -            v = ('', '')
 -        accepted_values.append(v)
 -
 -    return accepted_values
 -
 -
 -
 def getaddresses(fieldvalues):
 -    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
 -
 -    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
 -    its place.
 -
 -    If the resulting list of parsed address is not the same as the number of
 -    fieldvalues in the input list a parsing error has occurred.  A list
 -    containing a single empty 2-tuple [('', '')] is returned in its place.
 -    This is done to avoid invalid output.
 -    """
 -    fieldvalues = [str(v) for v in fieldvalues]
 -    fieldvalues = _pre_parse_validation(fieldvalues)
 -    all = COMMASPACE.join(v for v in fieldvalues)
 +    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
 +    all = COMMASPACE.join(str(v) for v in fieldvalues)
     a = _AddressList(all)
 -    result = _post_parse_validation(a.addresslist)
 -
 -    n = 0
 -    for v in fieldvalues:
 -        n += v.count(',') + 1
 -
 -    if len(result) != n:
 -        return [('', '')]
 -
 -    return result
 +    return a.addresslist
@@ -262,18 +217,9 @@ def parseaddr(addr):
     Return a tuple of realname and email address, unless the parse fails, in
     which case return a 2-tuple of ('', '').
     """
 -    if isinstance(addr, list):
 -        addr = addr[0]
 -
 -    if not isinstance(addr, str):
 -        return ('', '')
 -
 -    addr = _pre_parse_validation([addr])[0]
 -    addrs = _post_parse_validation(_AddressList(addr).addresslist)
 -
 -    if not addrs or len(addrs) > 1:
 -        return ('', '')
 -
 +    addrs = _AddressList(addr).addresslist
 +    if not addrs:
 +        return '', ''
     return addrs[0]
 --- a/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
 +++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -1,3 +1,8 @@
 +Reverted the :mod:`email.utils` security improvement change released in
 +3.12beta4 that unintentionally caused :mod:`email.utils.getaddresses` to fail
 +to parse email addresses with a comma in the quoted name field.
 +See :gh:`106669`.
 +
 CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
 and :func:`email.utils.getaddresses` from returning the realname portion of an
 invalid RFC2822 email header in the email address portion of the 2-tuple
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Thu Aug  3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
 - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
 -------------------------------------------------------------------
 Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).
 -------------------------------------------------------------------
 Wed Jun  7 15:37:43 UTC 2023 - Matej Cepl <mcepl@suse.com>
--- a/python-base.spec
+++ b/python-base.spec
@ -149,6 +149,13 @@ Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com
 # Build documentation even without PygmentsBridge.trim_doctest_flags
 Patch76:        PygmentsBridge-trime_doctest_flags.patch
 # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
 # Detect email address parsing errors and return empty tuple to
 # indicate the parsing error (old API)
 Patch77:        CVE-2023-27043-email-parsing-errors.patch
 # PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
 # Partially revert previous patch
 Patch78:        Revert-gh105127-left-tests.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -301,6 +308,8 @@ other applications.
 %endif
 %patch75 -p1
 %patch76 -p1
 %patch77 -p1
 %patch78 -p1
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
--- a/python-doc.changes
+++ b/python-doc.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Thu Aug  3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
 - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
 -------------------------------------------------------------------
 Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).
 -------------------------------------------------------------------
 Wed Jun  7 15:37:43 UTC 2023 - Matej Cepl <mcepl@suse.com>
--- a/python-doc.spec
+++ b/python-doc.spec
@ -148,6 +148,13 @@ Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com
 # Build documentation even without PygmentsBridge.trim_doctest_flags
 Patch76:        PygmentsBridge-trime_doctest_flags.patch
 # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
 # Detect email address parsing errors and return empty tuple to
 # indicate the parsing error (old API)
 Patch77:        CVE-2023-27043-email-parsing-errors.patch
 # PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
 # Partially revert previous patch
 Patch78:        Revert-gh105127-left-tests.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@ -235,6 +242,8 @@ Python, and Macintosh Module Reference in PDF format.
 %endif
 %patch75 -p1
 %patch76 -p1
 %patch77 -p1
 %patch78 -p1
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
--- a/python.changes
+++ b/python.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Thu Aug  3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
 - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
 -------------------------------------------------------------------
 Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).
 -------------------------------------------------------------------
 Wed Jun  7 15:37:43 UTC 2023 - Matej Cepl <mcepl@suse.com>
--- a/python.spec
+++ b/python.spec
@ -148,6 +148,13 @@ Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com
 # Build documentation even without PygmentsBridge.trim_doctest_flags
 Patch76:        PygmentsBridge-trime_doctest_flags.patch
 # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
 # Detect email address parsing errors and return empty tuple to
 # indicate the parsing error (old API)
 Patch77:        CVE-2023-27043-email-parsing-errors.patch
 # PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
 # Partially revert previous patch
 Patch78:        Revert-gh105127-left-tests.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -355,6 +362,8 @@ that rely on earlier non-verification behavior.
 %endif
 %patch75 -p1
 %patch76 -p1
 %patch77 -p1
 %patch78 -p1
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar