CVE-2025-15366-imap-ctrl-chars.patch

From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 16 Jan 2026 10:54:09 -0600
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters

---
 Lib/imaplib.py                                                           |    4 +++-
 Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst |    1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

Index: Python-3.12.12/Lib/imaplib.py
===================================================================
--- Python-3.12.12.orig/Lib/imaplib.py	2026-02-10 22:15:03.417592955 +0100
+++ Python-3.12.12/Lib/imaplib.py	2026-02-10 22:18:02.094605035 +0100
@@ -132,7 +132,7 @@
 # We compile these in _mode_xxx.
 _Literal = br'.*{(?P<size>\d+)}$'
 _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
-
+_control_chars = re.compile(b'[\x00-\x1F\x7F]')
 
 
 class IMAP4:
@@ -994,6 +994,8 @@
             if arg is None: continue
             if isinstance(arg, str):
                 arg = bytes(arg, self._encoding)
+            if _control_chars.search(arg):
+                raise ValueError("Control characters not allowed in commands")
             data = data + b' ' + arg
 
         literal = self.literal
Index: Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst	2026-02-10 22:18:02.095167966 +0100
@@ -0,0 +1 @@
+Reject control characters in IMAP commands.
Fix eight bugs (mostly rejecting ctrl chars in various protocols) CVE-2025-11468: to preserve parens when folding comments. (bsc#1257029, gh#python/cpython#143935) CVE-2025-11468-email-hdr-fold-comment.patch CVE-2025-12781: fix decoding with non-standard Base64 alphabet (bsc#1257108, gh#python/cpython#125346) CVE-2025-12781-b64decode-alt-chars.patch CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch CVE-2025-13836: to prevent reading an HTTP response from Content-Length per default as the length. (bsc#1254400, gh#python/cpython#119451) CVE-2025-13836-http-resp-cont-len.patch CVE-2025-12084: prevent quadratic behavior in node ID cache clearing. (bsc#1254997, gh#python/cpython#142145) CVE-2025-12084-minidom-quad-search.patch CVE-2025-13837: protect against OOM when loading malicious content. (bsc#1254401, gh#python/cpython#119342) CVE-2025-13837-plistlib-mailicious-length.patch - gh-99242: os.getloadavg() may throw OSError when running regression tests under certain conditions (e.g. chroot). This error is now caught and ignored, since reporting load average is optional. - gh-121160: Add a test for readline.set_history_length(). Note that this test may fail on readline libraries. - gh-121200: Fix test_expanduser_pwd2() of test_posixpath. Call getpwnam() to get pw_dir, since it can be different than getpwall() pw_dir. Patch by Victor Stinner. - gh-121188: When creating the JUnit XML file, regrtest now escapes characters which are invalid in XML, such as the chr(27) control character used in ANSI escape sequences. Patch by Victor Stinner. - CVE-2026-1299 and CVE-2024-6923: email headers with embedded newlines are now quoted on output. The generator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in bsc#1228780, gh-121650; bsc#1257181, gh-121650). - gh-120495: Fix incorrect exception handling in Tab Nanny. Patch by Wulian233. would produce incorrect results if type parameters in a class scope were overridden by assignments in a class scope and from __future__ import annotations semantics were - gh-81936: help() and showtopic() methods now respect a configured output argument to pydoc.Helper and not use the pager in such cases. Patch by Enrico Tröger. - gh-119577: The DeprecationWarning emitted when testing the truth value of an xml.etree.ElementTree.Element now - gh-121871: Documentation HTML varies from timestamp. Patch by Bernhard M. Wiedemann (bsc#1227999). - gh-122029: Emit c_call events in sys.setprofile() when a PyMethodObject pointing to a PyCFunction is called. modification of a list object, where one thread assigns a slice and another clears it. bytes and bytearray objects when using protocol version 5. Patch by Bénédikt Tran. 2026-02-10 23:12:15 +01:00			`From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001`
			`From: Seth Michael Larson <seth@python.org>`
			`Date: Fri, 16 Jan 2026 10:54:09 -0600`
			`Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters`

			`---`
			`Lib/imaplib.py \| 4 +++-`
			`Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst \| 1 +`
			`2 files changed, 4 insertions(+), 1 deletion(-)`

			`Index: Python-3.12.12/Lib/imaplib.py`
			`===================================================================`
			`--- Python-3.12.12.orig/Lib/imaplib.py 2026-02-10 22:15:03.417592955 +0100`
			`+++ Python-3.12.12/Lib/imaplib.py 2026-02-10 22:18:02.094605035 +0100`
			`@@ -132,7 +132,7 @@`
			`# We compile these in _mode_xxx.`
			`_Literal = br'.*{(?P<size>\d+)}$'`
			`_Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'`
			`-`
			`+_control_chars = re.compile(b'[\x00-\x1F\x7F]')`


			`class IMAP4:`
			`@@ -994,6 +994,8 @@`
			`if arg is None: continue`
			`if isinstance(arg, str):`
			`arg = bytes(arg, self._encoding)`
			`+ if _control_chars.search(arg):`
			`+ raise ValueError("Control characters not allowed in commands")`
			`data = data + b' ' + arg`

			`literal = self.literal`
			`Index: Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst`
			`===================================================================`
			`--- /dev/null 1970-01-01 00:00:00.000000000 +0000`
			`+++ Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst 2026-02-10 22:18:02.095167966 +0100`
			`@@ -0,0 +1 @@`
			`+Reject control characters in IMAP commands.`