python-interpreters/python310
SHA256
7
0
Fork 0
forked from pool/python310
Code Pull Requests Activity

Set link to python310.30576 via maintenance_release request

Browse Source
This commit is contained in:
Ruediger Oertel
2023-09-27 16:43:48 +00:00
committed by Matěj Cepl
parent 8bdb667986
commit aa5d3ba9db
10 changed files with 650 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

249
CVE-2023-27043-email-parsing-errors.patch Normal file
View File

@@ -0,0 +1,249 @@
---
Doc/library/email.utils.rst | 26 +++
Lib/email/utils.py | 63 +++++++
Lib/test/test_email/test_email.py | 81 +++++++++-
Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4
4 files changed, 164 insertions(+), 10 deletions(-)
Index: Python-3.10.12/Doc/library/email.utils.rst
===================================================================
--- Python-3.10.12.orig/Doc/library/email.utils.rst
+++ Python-3.10.12/Doc/library/email.utils.rst
@@ -67,6 +67,11 @@ of the new API.
*email address* parts. Returns a tuple of that information, unless the parse
fails, in which case a 2-tuple of ``('', '')`` is returned.
+ .. versionchanged:: 3.12
+ For security reasons, addresses that were ambiguous and could parse into
+ multiple different addresses now cause ``('', '')`` to be returned
+ instead of only one of the *potential* addresses.
+
.. function:: formataddr(pair, charset='utf-8')
@@ -89,7 +94,7 @@ of the new API.
This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
*fieldvalues* is a sequence of header field values as might be returned by
:meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple
- example that gets all the recipients of a message::
+ example that gets all the recipients of a message:
from email.utils import getaddresses
@@ -99,6 +104,25 @@ of the new API.
resent_ccs = msg.get_all('resent-cc', [])
all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
+ When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
+ is returned in its place. Other errors in parsing the list of
+ addresses such as a fieldvalue seemingly parsing into multiple
+ addresses may result in a list containing a single empty 2-tuple
+ ``[('', '')]`` being returned rather than returning potentially
+ invalid output.
+
+ Example malformed input parsing:
+
+ .. doctest::
+
+ >>> from email.utils import getaddresses
+ >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
+ [('', '')]
+
+ .. versionchanged:: 3.12
+ The 2-tuple of ``('', '')`` in the returned values when parsing
+ fails were added as to address a security issue.
+
.. function:: parsedate(date)
Index: Python-3.10.12/Lib/email/utils.py
===================================================================
--- Python-3.10.12.orig/Lib/email/utils.py
+++ Python-3.10.12/Lib/email/utils.py
@@ -106,12 +106,54 @@ def formataddr(pair, charset='utf-8'):
return address
+def _pre_parse_validation(email_header_fields):
+ accepted_values = []
+ for v in email_header_fields:
+ s = v.replace('\\(', '').replace('\\)', '')
+ if s.count('(') != s.count(')'):
+ v = "('', '')"
+ accepted_values.append(v)
+
+ return accepted_values
+
+
+def _post_parse_validation(parsed_email_header_tuples):
+ accepted_values = []
+ # The parser would have parsed a correctly formatted domain-literal
+ # The existence of an [ after parsing indicates a parsing failure
+ for v in parsed_email_header_tuples:
+ if '[' in v[1]:
+ v = ('', '')
+ accepted_values.append(v)
+
+ return accepted_values
+
def getaddresses(fieldvalues):
- """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
- all = COMMASPACE.join(str(v) for v in fieldvalues)
+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
+
+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
+ its place.
+
+ If the resulting list of parsed address is not the same as the number of
+ fieldvalues in the input list a parsing error has occurred. A list
+ containing a single empty 2-tuple [('', '')] is returned in its place.
+ This is done to avoid invalid output.
+ """
+ fieldvalues = [str(v) for v in fieldvalues]
+ fieldvalues = _pre_parse_validation(fieldvalues)
+ all = COMMASPACE.join(v for v in fieldvalues)
a = _AddressList(all)
- return a.addresslist
+ result = _post_parse_validation(a.addresslist)
+
+ n = 0
+ for v in fieldvalues:
+ n += v.count(',') + 1
+
+ if len(result) != n:
+ return [('', '')]
+
+ return result
def _format_timetuple_and_zone(timetuple, zone):
@@ -212,9 +254,18 @@ def parseaddr(addr):
Return a tuple of realname and email address, unless the parse fails, in
which case return a 2-tuple of ('', '').
"""
- addrs = _AddressList(addr).addresslist
- if not addrs:
- return '', ''
+ if isinstance(addr, list):
+ addr = addr[0]
+
+ if not isinstance(addr, str):
+ return ('', '')
+
+ addr = _pre_parse_validation([addr])[0]
+ addrs = _post_parse_validation(_AddressList(addr).addresslist)
+
+ if not addrs or len(addrs) > 1:
+ return ('', '')
+
return addrs[0]
Index: Python-3.10.12/Lib/test/test_email/test_email.py
===================================================================
--- Python-3.10.12.orig/Lib/test/test_email/test_email.py
+++ Python-3.10.12/Lib/test/test_email/test_email.py
@@ -3288,15 +3288,90 @@ Foo
[('Al Person', 'aperson@dom.ain'),
('Bud Person', 'bperson@dom.ain')])
+ def test_getaddresses_parsing_errors(self):
+ """Test for parsing errors from CVE-2023-27043"""
+ eq = self.assertEqual
+ eq(utils.getaddresses(['alice@example.org(<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org)<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org<<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org><bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org@<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org,<bob@example.com>']),
+ [('', 'alice@example.org'), ('', 'bob@example.com')])
+ eq(utils.getaddresses(['alice@example.org;<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org:<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org.<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org"<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org[<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org]<bob@example.com>']),
+ [('', '')])
+
+ def test_parseaddr_parsing_errors(self):
+ """Test for parsing errors from CVE-2023-27043"""
+ eq = self.assertEqual
+ eq(utils.parseaddr(['alice@example.org(<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org)<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org<<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org><bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org@<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org,<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org;<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org:<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org.<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org"<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org[<bob@example.com>']),
+ ('', ''))
+ eq(utils.parseaddr(['alice@example.org]<bob@example.com>']),
+ ('', ''))
+
def test_getaddresses_nasty(self):
eq = self.assertEqual
eq(utils.getaddresses(['foo: ;']), [('', '')])
- eq(utils.getaddresses(
- ['[]*-- =~$']),
- [('', ''), ('', ''), ('', '*--')])
+ eq(utils.getaddresses(['[]*-- =~$']), [('', '')])
eq(utils.getaddresses(
['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
[('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
+ eq(utils.getaddresses(
+ [r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>']),
+ [('Pete (A nice ) chap his account his host)', 'pete@silly.test')])
+ eq(utils.getaddresses(
+ ['(Empty list)(start)Undisclosed recipients :(nobody(I know))']),
+ [('', '')])
+ eq(utils.getaddresses(
+ ['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']),
+ [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')])
+ eq(utils.getaddresses(
+ ['John Doe <jdoe@machine(comment). example>']),
+ [('John Doe (comment)', 'jdoe@machine.example')])
+ eq(utils.getaddresses(
+ ['"Mary Smith: Personal Account" <smith@home.example>']),
+ [('Mary Smith: Personal Account', 'smith@home.example')])
+ eq(utils.getaddresses(
+ ['Undisclosed recipients:;']),
+ [('', '')])
+ eq(utils.getaddresses(
+ [r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>']),
+ [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')])
def test_getaddresses_embedded_comment(self):
"""Test proper handling of a nested comment"""
Index: Python-3.10.12/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
===================================================================
--- /dev/null
+++ Python-3.10.12/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -0,0 +1,4 @@
+CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
+and :func:`email.utils.getaddresses` from returning the realname portion of an
+invalid RFC2822 email header in the email address portion of the 2-tuple
+returned after being parsed by :class:`email._parseaddr.AddressList`.

16
Python-3.10.12.tar.xz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmR/tqIACgkQ/+h0BBaL
2EfUfg/9FW0m6nngtGIKTJ+Gk4G13pQvnELgc3eq70t7Sn1g2kGxDpO+rs0WptYG
gGcHs6v4rE/3uQ0mf4QCvnnXffQEQ+bRDaj1ZBY/rJjCdgQeUNMElV0KbvADiTqS
+akmsXaK3KqLHJesZo65lZ4HSADWKosBU3zxE2/CRMMsz1aLMDLIoaQo+pqDcFl7
ZfGMlmiJNyD2jZVYGdwCbhG0BymOTU02BxkH2Dkd9OGzj9A3zDPCO6RcDFtw4dkK
lngHQGijYaFV11FqIaApnUkz7aAPk//2KRLwpf5D5z8p8T8QsHAJyTmIm1gMQiQA
tMThI1tFGN6lF1QSrfwGooXs3AdeEY0VoL4CpQi8TVRLyi6HE4AU4hEQdPqVmpm1
+U2K0MpYhkwtPp0E9E7y9v82fMSzUKvGgpTstnblKTfDmgGUGb47Ncj3XvxH8SZz
p93YK2xpfl4V2ltLio8ONmwP9lQhxk5L34dQR20cjbOoj622VofqGUV7Zr6UHVLD
pqYgnj3zgiTPmbCzgVxZOyaLD3ezsY8oAtfLgX6cjCfsTtV27TvQUD8Br0oKQYS/
h5KJBdytokqPa+JWr59hvQpcLSbmCB2y7USminoS2yL1hpXidTvVDUALF3vorvZi
BS8prxUIFT2dgerUpWmMrKYih7pJNKdySGgI3zXtxIt5TE0TRag=
=9Zqh
-----END PGP SIGNATURE-----

0
Python-3.10.12.tar.xz → Python-3.10.13.tar.xz
View File

16
Python-3.10.13.tar.xz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmTnVFIACgkQ/+h0BBaL
2EfANRAAng1gGOlrpC5O6dU3w37Ubbp4nqRxCgLO3jcOipafkq4PdQN0VrP8Gvbx
NGn+ELdAiBasVkgx3aZcDKCSHQT9PkMOGjNKKcv6NamMTnwp5IeVEY+uXSITxOoQ
VmLRKdnNO9PYkSfh0bB51p5+HtnbFabs6lY6NEwSg9J2ooNCChgaVEEjGJalLkKn
aCy+G9prd4KUXMonm8fqk3kj79qcEdj97CdOdEpE0EvH5oNNfKRwkD8j4nztE5mM
GeymPb9g9gY+u2Ph5bPkkNHSwgO/NVgCrAxcdJC4/tabiWBFZtmLEcEUvMmMVDdM
VAV40PHlIevzY2wm2PIZYKqqVpvyfjk3SRSfqJe7BiOMfifXpG1rYD+pB823U20c
Xzi9Z1p39406XbgOI9EE4dVWSI03kyEcnOth8pv/aYoIlSGnfH7ngST0OGoBMUZ4
LwwOiBBgqoRJoYKERmbQ+r4hFJTkdFgFZHu9YkT5L+TwCRbVYGK6bptZGCveVn92
j4t8gOpR+m27Sc3YWxEqp3dW3u3GWEPqtK2MDdbj3omZ00vb+Ukdq3CLLNoxP/KC
PvJsxe2coMYz0R9SbSrKujJeYeb/6P8P5QxzcqiVfWtZRc9SJ+aianaTgfcag08R
9XDTiL4thCq5uaKsYaLECaPDKMF/skQrqbbLShf5rvcvDJO783s=
=UP6h
-----END PGP SIGNATURE-----

283
Revert-gh105127-left-tests.patch Normal file
View File

@@ -0,0 +1,283 @@
From 4288c623d62cf90d8e4444facb3379fb06d01140 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Thu, 20 Jul 2023 20:30:52 -0700
Subject: [PATCH] [3.12] gh-106669: Revert "gh-102988: Detect email address
parsing errors ... (GH-105127)" (GH-106733)
This reverts commit 18dfbd035775c15533d13a98e56b1d2bf5c65f00.
Adds a regression test from the issue.
See https://github.com/python/cpython/issues/106669..
(cherry picked from commit a31dea1feb61793e48fa9aa5014f358352205c1d)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Doc/library/email.utils.rst | 26 --
Lib/email/utils.py | 63 ------
Lib/test/test_email/test_email.py | 96 +---------
Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 5
4 files changed, 31 insertions(+), 159 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
Index: Python-3.10.13/Doc/library/email.utils.rst
===================================================================
--- Python-3.10.13.orig/Doc/library/email.utils.rst
+++ Python-3.10.13/Doc/library/email.utils.rst
@@ -67,11 +67,6 @@ of the new API.
*email address* parts. Returns a tuple of that information, unless the parse
fails, in which case a 2-tuple of ``('', '')`` is returned.
- .. versionchanged:: 3.12
- For security reasons, addresses that were ambiguous and could parse into
- multiple different addresses now cause ``('', '')`` to be returned
- instead of only one of the *potential* addresses.
-
.. function:: formataddr(pair, charset='utf-8')
@@ -94,7 +89,7 @@ of the new API.
This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
*fieldvalues* is a sequence of header field values as might be returned by
:meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple
- example that gets all the recipients of a message:
+ example that gets all the recipients of a message::
from email.utils import getaddresses
@@ -104,25 +99,6 @@ of the new API.
resent_ccs = msg.get_all('resent-cc', [])
all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
- When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
- is returned in its place. Other errors in parsing the list of
- addresses such as a fieldvalue seemingly parsing into multiple
- addresses may result in a list containing a single empty 2-tuple
- ``[('', '')]`` being returned rather than returning potentially
- invalid output.
-
- Example malformed input parsing:
-
- .. doctest::
-
- >>> from email.utils import getaddresses
- >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
- [('', '')]
-
- .. versionchanged:: 3.12
- The 2-tuple of ``('', '')`` in the returned values when parsing
- fails were added as to address a security issue.
-
.. function:: parsedate(date)
Index: Python-3.10.13/Lib/email/utils.py
===================================================================
--- Python-3.10.13.orig/Lib/email/utils.py
+++ Python-3.10.13/Lib/email/utils.py
@@ -106,54 +106,12 @@ def formataddr(pair, charset='utf-8'):
return address
-def _pre_parse_validation(email_header_fields):
- accepted_values = []
- for v in email_header_fields:
- s = v.replace('\\(', '').replace('\\)', '')
- if s.count('(') != s.count(')'):
- v = "('', '')"
- accepted_values.append(v)
-
- return accepted_values
-
-
-def _post_parse_validation(parsed_email_header_tuples):
- accepted_values = []
- # The parser would have parsed a correctly formatted domain-literal
- # The existence of an [ after parsing indicates a parsing failure
- for v in parsed_email_header_tuples:
- if '[' in v[1]:
- v = ('', '')
- accepted_values.append(v)
-
- return accepted_values
-
def getaddresses(fieldvalues):
- """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-
- When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
- its place.
-
- If the resulting list of parsed address is not the same as the number of
- fieldvalues in the input list a parsing error has occurred. A list
- containing a single empty 2-tuple [('', '')] is returned in its place.
- This is done to avoid invalid output.
- """
- fieldvalues = [str(v) for v in fieldvalues]
- fieldvalues = _pre_parse_validation(fieldvalues)
- all = COMMASPACE.join(v for v in fieldvalues)
+ """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
+ all = COMMASPACE.join(str(v) for v in fieldvalues)
a = _AddressList(all)
- result = _post_parse_validation(a.addresslist)
-
- n = 0
- for v in fieldvalues:
- n += v.count(',') + 1
-
- if len(result) != n:
- return [('', '')]
-
- return result
+ return a.addresslist
def _format_timetuple_and_zone(timetuple, zone):
@@ -254,18 +212,9 @@ def parseaddr(addr):
Return a tuple of realname and email address, unless the parse fails, in
which case return a 2-tuple of ('', '').
"""
- if isinstance(addr, list):
- addr = addr[0]
-
- if not isinstance(addr, str):
- return ('', '')
-
- addr = _pre_parse_validation([addr])[0]
- addrs = _post_parse_validation(_AddressList(addr).addresslist)
-
- if not addrs or len(addrs) > 1:
- return ('', '')
-
+ addrs = _AddressList(addr).addresslist
+ if not addrs:
+ return '', ''
return addrs[0]
Index: Python-3.10.13/Lib/test/test_email/test_email.py
===================================================================
--- Python-3.10.13.orig/Lib/test/test_email/test_email.py
+++ Python-3.10.13/Lib/test/test_email/test_email.py
@@ -3288,90 +3288,32 @@ Foo
[('Al Person', 'aperson@dom.ain'),
('Bud Person', 'bperson@dom.ain')])
- def test_getaddresses_parsing_errors(self):
- """Test for parsing errors from CVE-2023-27043"""
- eq = self.assertEqual
- eq(utils.getaddresses(['alice@example.org(<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org)<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org<<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org><bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org@<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org,<bob@example.com>']),
- [('', 'alice@example.org'), ('', 'bob@example.com')])
- eq(utils.getaddresses(['alice@example.org;<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org:<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org.<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org"<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org[<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org]<bob@example.com>']),
- [('', '')])
-
- def test_parseaddr_parsing_errors(self):
- """Test for parsing errors from CVE-2023-27043"""
- eq = self.assertEqual
- eq(utils.parseaddr(['alice@example.org(<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org)<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org<<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org><bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org@<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org,<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org;<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org:<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org.<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org"<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org[<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org]<bob@example.com>']),
- ('', ''))
+ def test_getaddresses_comma_in_name(self):
+ """GH-106669 regression test."""
+ self.assertEqual(
+ utils.getaddresses(
+ [
+ '"Bud, Person" <bperson@dom.ain>',
+ 'aperson@dom.ain (Al Person)',
+ '"Mariusz Felisiak" <to@example.com>',
+ ]
+ ),
+ [
+ ('Bud, Person', 'bperson@dom.ain'),
+ ('Al Person', 'aperson@dom.ain'),
+ ('Mariusz Felisiak', 'to@example.com'),
+ ],
+ )
def test_getaddresses_nasty(self):
eq = self.assertEqual
eq(utils.getaddresses(['foo: ;']), [('', '')])
- eq(utils.getaddresses(['[]*-- =~$']), [('', '')])
+ eq(utils.getaddresses(
+ ['[]*-- =~$']),
+ [('', ''), ('', ''), ('', '*--')])
eq(utils.getaddresses(
['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
[('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
- eq(utils.getaddresses(
- [r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>']),
- [('Pete (A nice ) chap his account his host)', 'pete@silly.test')])
- eq(utils.getaddresses(
- ['(Empty list)(start)Undisclosed recipients :(nobody(I know))']),
- [('', '')])
- eq(utils.getaddresses(
- ['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']),
- [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')])
- eq(utils.getaddresses(
- ['John Doe <jdoe@machine(comment). example>']),
- [('John Doe (comment)', 'jdoe@machine.example')])
- eq(utils.getaddresses(
- ['"Mary Smith: Personal Account" <smith@home.example>']),
- [('Mary Smith: Personal Account', 'smith@home.example')])
- eq(utils.getaddresses(
- ['Undisclosed recipients:;']),
- [('', '')])
- eq(utils.getaddresses(
- [r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>']),
- [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')])
def test_getaddresses_embedded_comment(self):
"""Test proper handling of a nested comment"""
Index: Python-3.10.13/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
===================================================================
--- Python-3.10.13.orig/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
+++ Python-3.10.13/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -1,3 +1,8 @@
+Reverted the :mod:`email.utils` security improvement change released in
+3.12beta4 that unintentionally caused :mod:`email.utils.getaddresses` to fail
+to parse email addresses with a comma in the quoted name field.
+See :gh:`106669`.
+
CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
and :func:`email.utils.getaddresses` from returning the realname portion of an
invalid RFC2822 email header in the email address portion of the 2-tuple

16
fix_configure_rst.patch
View File

@@ -3,8 +3,10 @@
Misc/NEWS | 2 +-
2 files changed, 1 insertion(+), 4 deletions(-)
--- a/Doc/using/configure.rst
+++ b/Doc/using/configure.rst
Index: Python-3.10.12/Doc/using/configure.rst
===================================================================
--- Python-3.10.12.orig/Doc/using/configure.rst
+++ Python-3.10.12/Doc/using/configure.rst
@@ -42,7 +42,6 @@ General Options
See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
@@ -13,7 +15,7 @@
.. cmdoption:: --with-cxx-main=COMPILER
Compile the Python ``main()`` function and link Python executable with C++
@@ -457,13 +456,11 @@ macOS Options
@@ -473,13 +472,11 @@ macOS Options
See ``Mac/README.rst``.
@@ -27,9 +29,11 @@
.. cmdoption:: --enable-framework=INSTALLDIR
Create a Python.framework rather than a traditional Unix install. Optional
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -3422,7 +3422,7 @@ C API
Index: Python-3.10.12/Misc/NEWS
===================================================================
--- Python-3.10.12.orig/Misc/NEWS
+++ Python-3.10.12/Misc/NEWS
@@ -3618,7 +3618,7 @@ C API
-----
- bpo-43795: The list in :ref:`stable-abi-list` now shows the public name

30
gh-78214-marshal_stabilize_FLAG_REF.patch Normal file
View File

@@ -0,0 +1,30 @@
From 6c8ea7c1dacd42f3ba00440231ec0e6b1a38300d Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Sat, 14 Jul 2018 00:46:11 +0900
Subject: [PATCH] Use FLAG_REF always for interned strings
---
Python/marshal.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
Index: Python-3.10.12/Python/marshal.c
===================================================================
--- Python-3.10.12.orig/Python/marshal.c
+++ Python-3.10.12/Python/marshal.c
@@ -298,9 +298,14 @@ w_ref(PyObject *v, char *flag, WFILE *p)
if (p->version < 3 || p->hashtable == NULL)
return 0; /* not writing object references */
- /* if it has only one reference, it definitely isn't shared */
- if (Py_REFCNT(v) == 1)
+ /* If it has only one reference, it definitely isn't shared.
+ * But we use TYPE_REF always for interned string, to PYC file stable
+ * as possible.
+ */
+ if (Py_REFCNT(v) == 1 &&
+ !(PyUnicode_CheckExact(v) && PyUnicode_CHECK_INTERNED(v))) {
return 0;
+ }
entry = _Py_hashtable_get_entry(p->hashtable, v);
if (entry != NULL) {

41
python310.changes
View File

@@ -1,3 +1,44 @@
-------------------------------------------------------------------
Mon Sep 4 13:18:29 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
- Update to 3.10.13 (bsc#1214692):
- gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included
protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
Gregory P. Smith.
- gh-107845: tarfile.data_filter() now takes the location of
symlinks into account when determining their target, so it will no
longer reject some valid tarballs with
LinkOutsideDestinationError.
- gh-107565: Update multissltests and GitHub CI workflows to use
OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
- gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data:
*consumed was not set.
-------------------------------------------------------------------
Thu Aug 3 14:13:30 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
partially reverting CVE-2023-27043-email-parsing-errors.patch,
because of the regression in gh#python/cpython#106669.
-------------------------------------------------------------------
Wed Jul 19 11:15:39 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for
stabilizing FLAG_REF usage (required for reproduceability;
bsc#1213463).
-------------------------------------------------------------------
Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API).
-------------------------------------------------------------------
Wed Jun 28 16:57:46 UTC 2023 - Matej Cepl <mcepl@suse.com>

18
python310.spec
View File

@@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}}
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
Version: 3.10.12
Version: 3.10.13
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@@ -168,7 +168,18 @@ Patch35: fix_configure_rst.patch
Patch36: support-expat-CVE-2022-25236-patched.patch
# PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765 mcepl@suse.com
# Make `set` and `frozenset` marshalling deterministic
Patch39: bpo-37596-make-set-marshalling.patch
Patch38: bpo-37596-make-set-marshalling.patch
# PATCH-FIX-UPSTREAM gh-78214-marshal_stabilize_FLAG_REF.patch bsc#1213463 mcepl@suse.com
# marshal: Stabilize FLAG_REF usage
Patch39: gh-78214-marshal_stabilize_FLAG_REF.patch
# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
# Detect email address parsing errors and return empty tuple to
# indicate the parsing error (old API), from gh#python/cpython!105127
# Patch carries a REGRESSION (gh#python/cpython#106669), so it has been also partially REVERTED
Patch40: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
# Partially revert previous patch
Patch41: Revert-gh105127-left-tests.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -440,7 +451,10 @@ other applications.
%endif
%patch35 -p1
%patch36 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

8
subprocess-raise-timeout.patch
View File

@@ -2,9 +2,11 @@
Lib/test/test_subprocess.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/Lib/test/test_subprocess.py
+++ b/Lib/test/test_subprocess.py
@@ -267,7 +267,8 @@ class ProcessTestCase(BaseTestCase):
Index: Python-3.10.12/Lib/test/test_subprocess.py
===================================================================
--- Python-3.10.12.orig/Lib/test/test_subprocess.py
+++ Python-3.10.12/Lib/test/test_subprocess.py
@@ -268,7 +268,8 @@ class ProcessTestCase(BaseTestCase):
"time.sleep(3600)"],
# Some heavily loaded buildbots (sparc Debian 3.x) require
# this much time to start and print.