diff --git a/CVE-2025-15367-poplib-ctrl-chars.patch b/CVE-2025-15367-poplib-ctrl-chars.patch new file mode 100644 index 0000000..3bc95ed --- /dev/null +++ b/CVE-2025-15367-poplib-ctrl-chars.patch @@ -0,0 +1,48 @@ +From b6f733b285b1c4f27dacb5c2e1f292c914e8b933 Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Fri, 16 Jan 2026 10:54:09 -0600 +Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters + +--- + Lib/poplib.py | 2 ++ + Lib/test/test_poplib.py | 7 +++++++ + Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst | 1 + + 3 files changed, 10 insertions(+) + +Index: Python-3.13.11/Lib/poplib.py +=================================================================== +--- Python-3.13.11.orig/Lib/poplib.py 2025-12-05 17:06:33.000000000 +0100 ++++ Python-3.13.11/Lib/poplib.py 2026-02-05 22:06:33.769936918 +0100 +@@ -122,6 +122,8 @@ + def _putcmd(self, line): + if self._debugging: print('*cmd*', repr(line)) + line = bytes(line, self.encoding) ++ if re.search(b'[\x00-\x1F\x7F]', line): ++ raise ValueError('Control characters not allowed in commands') + self._putline(line) + + +Index: Python-3.13.11/Lib/test/test_poplib.py +=================================================================== +--- Python-3.13.11.orig/Lib/test/test_poplib.py 2025-12-05 17:06:33.000000000 +0100 ++++ Python-3.13.11/Lib/test/test_poplib.py 2026-02-05 22:06:33.770193070 +0100 +@@ -396,6 +396,13 @@ + self.assertIsNone(self.client.sock) + self.assertIsNone(self.client.file) + ++ def test_control_characters(self): ++ for c0 in control_characters_c0(): ++ with self.assertRaises(ValueError): ++ self.client.user(f'user{c0}') ++ with self.assertRaises(ValueError): ++ self.client.pass_(f'{c0}pass') ++ + @requires_ssl + def test_stls_capa(self): + capa = self.client.capa() +Index: Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst 2026-02-05 22:06:33.770449444 +0100 +@@ -0,0 +1 @@ ++Reject control characters in POP3 commands. diff --git a/python313.changes b/python313.changes index bf7f6a4..889f825 100644 --- a/python313.changes +++ b/python313.changes @@ -8,6 +8,9 @@ Thu Feb 5 18:57:27 UTC 2026 - Matej Cepl - Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044 (CVE-2025-15366) using gh#python/cpython!143922 and doing basically the same as the previous patch for IMAP protocol. +- Add CVE-2025-15367-poplib-ctrl-chars.patch fixing bsc#1257041 + (CVE-2025-15367) using gh#python/cpython!143924 and doing + basically the same as the previous patch for poplib library. ------------------------------------------------------------------- Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl diff --git a/python313.spec b/python313.spec index 9797ff9..a5b3b58 100644 --- a/python313.spec +++ b/python313.spec @@ -254,6 +254,9 @@ Patch52: CVE-2026-0865-wsgiref-ctrl-chars.patch # PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com # Reject control characters in wsgiref.headers.Headers Patch53: CVE-2025-15366-imap-ctrl-chars.patch +# PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 mcepl@suse.com +# Reject control characters in poplib +Patch54: CVE-2025-15367-poplib-ctrl-chars.patch #### END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake