From 6230bce57956d72287abadd42575a495a0c48ae53df0d415cc9736ac3bbd2d2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Tue, 27 Jan 2026 17:58:02 +0100
Subject: [PATCH] Add CVE-2024-6923-follow-up-EOL-email-headers.patch

It is a follow-up to the previous fix of CVE-2024-6923 further encoding
EOL possibly hidden in email headers (bsc#1257181).
---
 ...024-6923-follow-up-EOL-email-headers.patch | 105 ++++++++++++++++++
 python313.changes                             |   7 ++
 python313.spec                                |   5 +
 3 files changed, 117 insertions(+)
 create mode 100644 CVE-2024-6923-follow-up-EOL-email-headers.patch

diff --git a/CVE-2024-6923-follow-up-EOL-email-headers.patch b/CVE-2024-6923-follow-up-EOL-email-headers.patch
new file mode 100644
index 0000000..a34d87b
--- /dev/null
+++ b/CVE-2024-6923-follow-up-EOL-email-headers.patch
@@ -0,0 +1,105 @@
+From 7ef18bbf2f92550e65547c0a55995c423e237944 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 23 Jan 2026 08:59:35 -0600
+Subject: [PATCH] gh-144125: email: verify headers are sound in BytesGenerator
+ (cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Denis Ledoux <dle@odoo.com>
+Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com>
+Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com>
+Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com>
+---
+ Lib/email/generator.py                               | 12 +++++++++++-
+ Lib/test/test_email/test_generator.py                |  4 +++-
+ Lib/test/test_email/test_policy.py                   |  6 +++++-
+ .../2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst   |  4 ++++
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+
+diff --git a/Lib/email/generator.py b/Lib/email/generator.py
+index ce94f5c56fe34e..a03eb1fbbc9288 100644
+--- a/Lib/email/generator.py
++++ b/Lib/email/generator.py
+@@ -22,6 +22,7 @@
+ NLCRE = re.compile(r'\r\n|\r|\n')
+ fcre = re.compile(r'^From ', re.MULTILINE)
+ NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
++NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
+ 
+ 
+ class Generator:
+@@ -429,7 +430,16 @@ def _write_headers(self, msg):
+         # This is almost the same as the string version, except for handling
+         # strings with 8bit bytes.
+         for h, v in msg.raw_items():
+-            self._fp.write(self.policy.fold_binary(h, v))
++            folded = self.policy.fold_binary(h, v)
++            if self.policy.verify_generated_headers:
++                linesep = self.policy.linesep.encode()
++                if not folded.endswith(linesep):
++                    raise HeaderWriteError(
++                        f'folded header does not end with {linesep!r}: {folded!r}')
++                if NEWLINE_WITHOUT_FWSP_BYTES.search(folded.removesuffix(linesep)):
++                    raise HeaderWriteError(
++                        f'folded header contains newline: {folded!r}')
++            self._fp.write(folded)
+         # A blank line always separates headers from body
+         self.write(self._NL)
+ 
+diff --git a/Lib/test/test_email/test_generator.py b/Lib/test/test_email/test_generator.py
+index c75a842c33578e..3ca79edf6a65d9 100644
+--- a/Lib/test/test_email/test_generator.py
++++ b/Lib/test/test_email/test_generator.py
+@@ -313,7 +313,7 @@ def test_flatten_unicode_linesep(self):
+         self.assertEqual(s.getvalue(), self.typ(expected))
+ 
+     def test_verify_generated_headers(self):
+-        """gh-121650: by default the generator prevents header injection"""
++        # gh-121650: by default the generator prevents header injection
+         class LiteralHeader(str):
+             name = 'Header'
+             def fold(self, **kwargs):
+@@ -334,6 +334,8 @@ def fold(self, **kwargs):
+ 
+                 with self.assertRaises(email.errors.HeaderWriteError):
+                     message.as_string()
++                with self.assertRaises(email.errors.HeaderWriteError):
++                    message.as_bytes()
+ 
+ 
+ class TestBytesGenerator(TestGeneratorBase, TestEmailBase):
+diff --git a/Lib/test/test_email/test_policy.py b/Lib/test/test_email/test_policy.py
+index baa35fd68e49c5..71ec0febb0fd86 100644
+--- a/Lib/test/test_email/test_policy.py
++++ b/Lib/test/test_email/test_policy.py
+@@ -296,7 +296,7 @@ def test_short_maxlen_error(self):
+                     policy.fold("Subject", subject)
+ 
+     def test_verify_generated_headers(self):
+-        """Turning protection off allows header injection"""
++        # Turning protection off allows header injection
+         policy = email.policy.default.clone(verify_generated_headers=False)
+         for text in (
+             'Header: Value\r\nBad: Injection\r\n',
+@@ -319,6 +319,10 @@ def fold(self, **kwargs):
+                     message.as_string(),
+                     f"{text}\nBody",
+                 )
++                self.assertEqual(
++                    message.as_bytes(),
++                    f"{text}\nBody".encode(),
++                )
+ 
+     # XXX: Need subclassing tests.
+     # For adding subclassed objects, make sure the usual rules apply (subclass
+diff --git a/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+new file mode 100644
+index 00000000000000..e6333e724972c5
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+@@ -0,0 +1,4 @@
++:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers
++that are unsafely folded or delimited; see
++:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
++Bloemsaat and Petr Viktorin in :gh:`121650`).
diff --git a/python313.changes b/python313.changes
index 84a6b52..b44a415 100644
--- a/python313.changes
+++ b/python313.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is
+  a follow-up to the previous fix of CVE-2024-6923 further
+  encoding EOL possibly hidden in email headers (bsc#1257181).
+
 -------------------------------------------------------------------
 Thu Dec 11 21:36:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
 
diff --git a/python313.spec b/python313.spec
index beffa54..8a2b82b 100644
--- a/python313.spec
+++ b/python313.spec
@@ -238,6 +238,11 @@ Patch45:        gh139257-Support-docutils-0.22.patch
 # PATCH-FIX-UPSTREAM pass-test_write_read_limited_history.patch bsc#[0-9]+ mcepl@suse.com
 # Fix readline history truncation when length is reduced
 Patch48:        pass-test_write_read_limited_history.patch
+# PATCH-FIX-UPSTREAM CVE-2024-6923-follow-up-EOL-email-headers.patch bsc#1257181 mcepl@suse.com
+# Encode newlines in headers when using ByteGenerator
+# patch from gh#python/cpython#144125
+Patch49:        CVE-2024-6923-follow-up-EOL-email-headers.patch
+#### END OF PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes