forked from pool/python312
Matěj Cepl
07beab470d
CVE-2025-11468: to preserve parens when folding comments.
(bsc#1257029, gh#python/cpython#143935)
CVE-2025-11468-email-hdr-fold-comment.patch
CVE-2025-12781: fix decoding with non-standard Base64 alphabet
(bsc#1257108, gh#python/cpython#125346)
CVE-2025-12781-b64decode-alt-chars.patch
CVE-2026-0672: rejects control characters in http cookies.
(bsc#1257031, gh#python/cpython#143919)
CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
CVE-2026-0865: rejecting control characters in
wsgiref.headers.Headers, which could be abused for injecting
false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
CVE-2026-0865-wsgiref-ctrl-chars.patch
CVE-2025-15366: basically the same as the previous patch for
IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
CVE-2025-15366-imap-ctrl-chars.patch
CVE-2025-15282: basically the same as the previous patch for
urllib library. (bsc#1257046, gh#python/cpython#143925)
CVE-2025-15282-urllib-ctrl-chars.patch
CVE-2025-15367: basically the same as the previous patch for
poplib library. (bsc#1257041, gh#python/cpython#143923)
CVE-2025-15367-poplib-ctrl-chars.patch
CVE-2025-13836: to prevent reading an HTTP response from
Content-Length per default as the length. (bsc#1254400,
gh#python/cpython#119451)
CVE-2025-13836-http-resp-cont-len.patch
CVE-2025-12084: prevent quadratic behavior in node ID cache
clearing. (bsc#1254997, gh#python/cpython#142145)
CVE-2025-12084-minidom-quad-search.patch
CVE-2025-13837: protect against OOM when loading malicious
content. (bsc#1254401, gh#python/cpython#119342)
CVE-2025-13837-plistlib-mailicious-length.patch
- gh-99242: os.getloadavg() may throw OSError when running
regression tests under certain conditions (e.g. chroot).
This error is now caught and ignored, since reporting load
average is optional.
- gh-121160: Add a test for readline.set_history_length().
Note that this test may fail on readline libraries.
- gh-121200: Fix test_expanduser_pwd2() of test_posixpath.
Call getpwnam() to get pw_dir, since it can be different
than getpwall() pw_dir. Patch by Victor Stinner.
- gh-121188: When creating the JUnit XML file, regrtest now
escapes characters which are invalid in XML, such as the
chr(27) control character used in ANSI escape sequences.
Patch by Victor Stinner.
- CVE-2026-1299 and CVE-2024-6923: email headers with
embedded newlines are now quoted on output. The generator
will now refuse to serialize (write) headers that are
unsafely folded or delimited; see verify_generated_headers.
(Contributed by Bas Bloemsaat and Petr Viktorin in
bsc#1228780, gh-121650; bsc#1257181, gh-121650).
- gh-120495: Fix incorrect exception handling in Tab Nanny.
Patch by Wulian233.
would produce incorrect results if type parameters in
a class scope were overridden by assignments in a class
scope and from __future__ import annotations semantics were
- gh-81936: help() and showtopic() methods now respect
a configured output argument to pydoc.Helper and not use
the pager in such cases. Patch by Enrico Tröger.
- gh-119577: The DeprecationWarning emitted when testing the
truth value of an xml.etree.ElementTree.Element now
- gh-121871: Documentation HTML varies from timestamp. Patch
by Bernhard M. Wiedemann (bsc#1227999).
- gh-122029: Emit c_call events in sys.setprofile() when
a PyMethodObject pointing to a PyCFunction is called.
modification of a list object, where one thread assigns
a slice and another clears it.
bytes and bytearray objects when using protocol version 5.
Patch by Bénédikt Tran.
57 lines
2.4 KiB
Diff
57 lines
2.4 KiB
Diff
From b6f733b285b1c4f27dacb5c2e1f292c914e8b933 Mon Sep 17 00:00:00 2001
|
|
From: Seth Michael Larson <seth@python.org>
|
|
Date: Fri, 16 Jan 2026 10:54:09 -0600
|
|
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
|
|
|
|
---
|
|
Lib/poplib.py | 2 ++
|
|
Lib/test/test_poplib.py | 8 ++++++++
|
|
Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst | 1 +
|
|
3 files changed, 11 insertions(+)
|
|
|
|
Index: Python-3.12.12/Lib/poplib.py
|
|
===================================================================
|
|
--- Python-3.12.12.orig/Lib/poplib.py 2026-02-11 23:46:29.442215955 +0100
|
|
+++ Python-3.12.12/Lib/poplib.py 2026-02-11 23:46:46.713251058 +0100
|
|
@@ -122,6 +122,8 @@
|
|
def _putcmd(self, line):
|
|
if self._debugging: print('*cmd*', repr(line))
|
|
line = bytes(line, self.encoding)
|
|
+ if re.search(b'[\x00-\x1F\x7F]', line):
|
|
+ raise ValueError('Control characters not allowed in commands')
|
|
self._putline(line)
|
|
|
|
|
|
Index: Python-3.12.12/Lib/test/test_poplib.py
|
|
===================================================================
|
|
--- Python-3.12.12.orig/Lib/test/test_poplib.py 2026-02-11 23:46:31.636412813 +0100
|
|
+++ Python-3.12.12/Lib/test/test_poplib.py 2026-02-11 23:46:46.713442229 +0100
|
|
@@ -17,6 +17,7 @@
|
|
from test.support import threading_helper
|
|
from test.support import asynchat
|
|
from test.support import asyncore
|
|
+from test.support import control_characters_c0
|
|
|
|
|
|
test_support.requires_working_socket(module=True)
|
|
@@ -395,6 +396,13 @@
|
|
self.assertIsNone(self.client.sock)
|
|
self.assertIsNone(self.client.file)
|
|
|
|
+ def test_control_characters(self):
|
|
+ for c0 in control_characters_c0():
|
|
+ with self.assertRaises(ValueError):
|
|
+ self.client.user(f'user{c0}')
|
|
+ with self.assertRaises(ValueError):
|
|
+ self.client.pass_(f'{c0}pass')
|
|
+
|
|
@requires_ssl
|
|
def test_stls_capa(self):
|
|
capa = self.client.capa()
|
|
Index: Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ Python-3.12.12/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst 2026-02-11 23:46:46.713620996 +0100
|
|
@@ -0,0 +1 @@
|
|
+Reject control characters in POP3 commands.
|