pool/python312
SHA256
17
0
Fork 2
Code Issues Pull Requests Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory python-interpreters:factory
..
compare: python-interpreters:factory
Branches Tags
python-interpreters:factory pool:factory

2 Commits
factory ... factory

Author SHA256 Message Date
Matěj Cepl
f7e1518c94 Add CVE-2025-11468-email-hdr-fold-comment.patch (bsc#1257029, 
CVE-2025-11468) to preserve parens when folding comments.
 2026-02-06 00:08:58 +01:00
Matěj Cepl
2e0653fc8e doc: mention that bsc#1257181 has been already fixed 2026-02-05 22:58:49 +01:00
3 changed files with 119 additions and 1 deletions
Expand all files Collapse all files

108
CVE-2025-11468-email-hdr-fold-comment.patch Normal file
View File

@@ -0,0 +1,108 @@
From 3900a2cb7d8321629717b8483179263a968bf552 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Mon, 19 Jan 2026 06:38:22 -0600
Subject: [PATCH] gh-143935: Email preserve parens when folding comments
(GH-143936)
Fix a bug in the folding of comments when flattening an email message
using a modern email policy. Comments consisting of a very long sequence of
non-foldable characters could trigger a forced line wrap that omitted the
required leading space on the continuation line, causing the remainder of
the comment to be interpreted as a new header field. This enabled header
injection with carefully crafted inputs.
(cherry picked from commit 17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Denis Ledoux <dle@odoo.com>
---
Lib/email/_header_value_parser.py | 15 ++++++
Lib/test/test_email/test__header_value_parser.py | 23 ++++++++++
Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst | 6 ++
3 files changed, 43 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
Index: Python-3.12.12/Lib/email/_header_value_parser.py
===================================================================
--- Python-3.12.12.orig/Lib/email/_header_value_parser.py 2026-02-06 00:08:35.667684507 +0100
+++ Python-3.12.12/Lib/email/_header_value_parser.py 2026-02-06 00:08:40.746286971 +0100
@@ -101,6 +101,12 @@
return str(value).replace('\\', '\\\\').replace('"', '\\"')
+def make_parenthesis_pairs(value):
+ """Escape parenthesis and backslash for use within a comment."""
+ return str(value).replace('\\', '\\\\') \
+ .replace('(', '\\(').replace(')', '\\)')
+
+
def quote_string(value):
escaped = make_quoted_pairs(value)
return f'"{escaped}"'
@@ -933,7 +939,7 @@
return ' '
def startswith_fws(self):
- return True
+ return self and self[0] in WSP
class ValueTerminal(Terminal):
@@ -2922,6 +2928,13 @@
[ValueTerminal(make_quoted_pairs(p), 'ptext')
for p in newparts] +
[ValueTerminal('"', 'ptext')])
+ if part.token_type == 'comment':
+ newparts = (
+ [ValueTerminal('(', 'ptext')] +
+ [ValueTerminal(make_parenthesis_pairs(p), 'ptext')
+ if p.token_type == 'ptext' else p
+ for p in newparts] +
+ [ValueTerminal(')', 'ptext')])
if not part.as_ew_allowed:
wrap_as_ew_blocked += 1
newparts.append(end_ew_not_allowed)
Index: Python-3.12.12/Lib/test/test_email/test__header_value_parser.py
===================================================================
--- Python-3.12.12.orig/Lib/test/test_email/test__header_value_parser.py 2026-02-06 00:08:37.343959625 +0100
+++ Python-3.12.12/Lib/test/test_email/test__header_value_parser.py 2026-02-06 00:08:40.747102748 +0100
@@ -3141,6 +3141,29 @@
with self.subTest(to=to):
self._test(parser.get_address_list(to)[0], folded, policy=policy)
+ def test_address_list_with_long_unwrapable_comment(self):
+ policy = self.policy.clone(max_line_length=40)
+ cases = [
+ # (to, folded)
+ ('(loremipsumdolorsitametconsecteturadipi)<spy@example.org>',
+ '(loremipsumdolorsitametconsecteturadipi)<spy@example.org>\n'),
+ ('<spy@example.org>(loremipsumdolorsitametconsecteturadipi)',
+ '<spy@example.org>(loremipsumdolorsitametconsecteturadipi)\n'),
+ ('(loremipsum dolorsitametconsecteturadipi)<spy@example.org>',
+ '(loremipsum dolorsitametconsecteturadipi)<spy@example.org>\n'),
+ ('<spy@example.org>(loremipsum dolorsitametconsecteturadipi)',
+ '<spy@example.org>(loremipsum\n dolorsitametconsecteturadipi)\n'),
+ ('(Escaped \\( \\) chars \\\\ in comments stay escaped)<spy@example.org>',
+ '(Escaped \\( \\) chars \\\\ in comments stay\n escaped)<spy@example.org>\n'),
+ ('((loremipsum)(loremipsum)(loremipsum)(loremipsum))<spy@example.org>',
+ '((loremipsum)(loremipsum)(loremipsum)(loremipsum))<spy@example.org>\n'),
+ ('((loremipsum)(loremipsum)(loremipsum) (loremipsum))<spy@example.org>',
+ '((loremipsum)(loremipsum)(loremipsum)\n (loremipsum))<spy@example.org>\n'),
+ ]
+ for (to, folded) in cases:
+ with self.subTest(to=to):
+ self._test(parser.get_address_list(to)[0], folded, policy=policy)
+
# XXX Need tests with comments on various sides of a unicode token,
# and with unicode tokens in the comments. Spaces inside the quotes
# currently don't do the right thing.
Index: Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst 2026-02-06 00:08:40.747576711 +0100
@@ -0,0 +1,6 @@
+Fixed a bug in the folding of comments when flattening an email message
+using a modern email policy. Comments consisting of a very long sequence of
+non-foldable characters could trigger a forced line wrap that omitted the
+required leading space on the continuation line, causing the remainder of
+the comment to be interpreted as a new header field. This enabled header
+injection with carefully crafted inputs.

8
python312.changes
View File

@@ -1,3 +1,9 @@
-------------------------------------------------------------------
Fri Feb 6 00:07:20 CET 2026 - Matej Cepl <mcepl@suse.com>
- Add CVE-2025-11468-email-hdr-fold-comment.patch (bsc#1257029,
CVE-2025-11468) to preserve parens when folding comments.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Dec 18 10:33:44 UTC 2025 - Matej Cepl <mcepl@cepl.eu> Thu Dec 18 10:33:44 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
@@ -1254,7 +1260,7 @@ Wed Aug 7 18:05:57 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
serialize (write) headers that are unsafely folded or serialize (write) headers that are unsafely folded or
delimited; see verify_generated_headers. (Contributed by delimited; see verify_generated_headers. (Contributed by
Bas Bloemsaat and Petr Viktorin in gh-121650; bsc#1228780, Bas Bloemsaat and Petr Viktorin in gh-121650; bsc#1228780,
CVE-2024-6923). CVE-2024-6923; bsc#1257181, CVE-2026-1299).
- gh-122332: Fixed segfault with asyncio.Task.get_coro() when - gh-122332: Fixed segfault with asyncio.Task.get_coro() when
using an eager task factory. using an eager task factory.
- gh-122170: Handle ValueErrors raised by os.stat() in - gh-122170: Handle ValueErrors raised by os.stat() in

4
python312.spec
View File

@@ -204,6 +204,10 @@ Patch50: CVE-2025-12084-minidom-quad-search.patch
# PATCH-FIX-UPSTREAM CVE-2025-13837-plistlib-mailicious-length.patch bsc#1254401 mcepl@suse.com # PATCH-FIX-UPSTREAM CVE-2025-13837-plistlib-mailicious-length.patch bsc#1254401 mcepl@suse.com
# protect against OOM when loading malicious content # protect against OOM when loading malicious content
Patch51: CVE-2025-13837-plistlib-mailicious-length.patch Patch51: CVE-2025-13837-plistlib-mailicious-length.patch
# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com
# Email preserve parens when folding comments
Patch52: CVE-2025-11468-email-hdr-fold-comment.patch
### END OF PATCHES
BuildRequires: autoconf-archive BuildRequires: autoconf-archive
BuildRequires: automake BuildRequires: automake
BuildRequires: fdupes BuildRequires: fdupes