Add CVE-2025-11468-email-hdr-fold-comment.patch

Preserving parens when folding comments in email headers (bsc#1257029, CVE-2025-11468).
2026-01-29 13:46:47 +01:00
parent 6230bce579
commit 79a850acd8
3 changed files with 114 additions and 0 deletions
--- a/CVE-2025-11468-email-hdr-fold-comment.patch
+++ b/CVE-2025-11468-email-hdr-fold-comment.patch
@@ -0,0 +1,108 @@
+From 636f0b674ac4f4778b3ba32e950fdfc58a54b9e1 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Mon, 19 Jan 2026 06:38:22 -0600
+Subject: [PATCH] gh-143935: Email preserve parens when folding comments
+ (GH-143936)
+
+Fix a bug in the folding of comments when flattening an email message
+using a modern email policy. Comments consisting of a very long sequence of
+non-foldable characters could trigger a forced line wrap that omitted the
+required leading space on the continuation line, causing the remainder of
+the comment to be interpreted as a new header field. This enabled header
+injection with carefully crafted inputs.
+(cherry picked from commit 17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Denis Ledoux <dle@odoo.com>
+---
+ Lib/email/_header_value_parser.py                                        |   15 ++++++
+ Lib/test/test_email/test__header_value_parser.py                         |   23 ++++++++++
+ Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst |    6 ++
+ 3 files changed, 43 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
+
+Index: Python-3.13.11/Lib/email/_header_value_parser.py
+===================================================================
+--- Python-3.13.11.orig/Lib/email/_header_value_parser.py	2025-12-05 17:06:33.000000000 +0100
+++ Python-3.13.11/Lib/email/_header_value_parser.py	2026-01-29 19:25:21.986346350 +0100
+@@ -101,6 +101,12 @@
+     return str(value).replace('\\', '\\\\').replace('"', '\\"')
+ 
+ 
+def make_parenthesis_pairs(value):
+    """Escape parenthesis and backslash for use within a comment."""
+    return str(value).replace('\\', '\\\\') \
+        .replace('(', '\\(').replace(')', '\\)')
+
+
+ def quote_string(value):
+     escaped = make_quoted_pairs(value)
+     return f'"{escaped}"'
+@@ -933,7 +939,7 @@
+         return ' '
+ 
+     def startswith_fws(self):
+-        return True
+        return self and self[0] in WSP
+ 
+ 
+ class ValueTerminal(Terminal):
+@@ -2924,6 +2930,13 @@
+                     [ValueTerminal(make_quoted_pairs(p), 'ptext')
+                      for p in newparts] +
+                     [ValueTerminal('"', 'ptext')])
+            if part.token_type == 'comment':
+                newparts = (
+                    [ValueTerminal('(', 'ptext')] +
+                    [ValueTerminal(make_parenthesis_pairs(p), 'ptext')
+                     if p.token_type == 'ptext' else p
+                     for p in newparts] +
+                    [ValueTerminal(')', 'ptext')])
+             if not part.as_ew_allowed:
+                 wrap_as_ew_blocked += 1
+                 newparts.append(end_ew_not_allowed)
+Index: Python-3.13.11/Lib/test/test_email/test__header_value_parser.py
+===================================================================
+--- Python-3.13.11.orig/Lib/test/test_email/test__header_value_parser.py	2025-12-05 17:06:33.000000000 +0100
+++ Python-3.13.11/Lib/test/test_email/test__header_value_parser.py	2026-01-29 19:25:21.986906275 +0100
+@@ -3219,6 +3219,29 @@
+             with self.subTest(to=to):
+                 self._test(parser.get_address_list(to)[0], folded, policy=policy)
+ 
+    def test_address_list_with_long_unwrapable_comment(self):
+        policy = self.policy.clone(max_line_length=40)
+        cases = [
+            # (to, folded)
+            ('(loremipsumdolorsitametconsecteturadipi)<spy@example.org>',
+             '(loremipsumdolorsitametconsecteturadipi)<spy@example.org>\n'),
+            ('<spy@example.org>(loremipsumdolorsitametconsecteturadipi)',
+             '<spy@example.org>(loremipsumdolorsitametconsecteturadipi)\n'),
+            ('(loremipsum dolorsitametconsecteturadipi)<spy@example.org>',
+             '(loremipsum dolorsitametconsecteturadipi)<spy@example.org>\n'),
+             ('<spy@example.org>(loremipsum dolorsitametconsecteturadipi)',
+             '<spy@example.org>(loremipsum\n dolorsitametconsecteturadipi)\n'),
+            ('(Escaped \\( \\) chars \\\\ in comments stay escaped)<spy@example.org>',
+             '(Escaped \\( \\) chars \\\\ in comments stay\n escaped)<spy@example.org>\n'),
+            ('((loremipsum)(loremipsum)(loremipsum)(loremipsum))<spy@example.org>',
+             '((loremipsum)(loremipsum)(loremipsum)(loremipsum))<spy@example.org>\n'),
+            ('((loremipsum)(loremipsum)(loremipsum) (loremipsum))<spy@example.org>',
+             '((loremipsum)(loremipsum)(loremipsum)\n (loremipsum))<spy@example.org>\n'),
+        ]
+        for (to, folded) in cases:
+            with self.subTest(to=to):
+                self._test(parser.get_address_list(to)[0], folded, policy=policy)
+
+     # XXX Need tests with comments on various sides of a unicode token,
+     # and with unicode tokens in the comments.  Spaces inside the quotes
+     # currently don't do the right thing.
+Index: Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst	2026-01-29 19:25:21.987305397 +0100
+@@ -0,0 +1,6 @@
+Fixed a bug in the folding of comments when flattening an email message
+using a modern email policy. Comments consisting of a very long sequence of
+non-foldable characters could trigger a forced line wrap that omitted the
+required leading space on the continuation line, causing the remainder of
+the comment to be interpreted as a new header field. This enabled header
+injection with carefully crafted inputs.
--- a/python313.changes
+++ b/python313.changes
@@ -4,6 +4,9 @@ Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
 - Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is
  a follow-up to the previous fix of CVE-2024-6923 further
  encoding EOL possibly hidden in email headers (bsc#1257181).
+- Add CVE-2025-11468-email-hdr-fold-comment.patch preserving
+  parens when folding comments in email headers (bsc#1257029,
+  CVE-2025-11468).

 -------------------------------------------------------------------
 Thu Dec 11 21:36:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
--- a/python313.spec
+++ b/python313.spec
@@ -242,6 +242,9 @@ Patch48:        pass-test_write_read_limited_history.patch
 # Encode newlines in headers when using ByteGenerator
 # patch from gh#python/cpython#144125
 Patch49:        CVE-2024-6923-follow-up-EOL-email-headers.patch
+# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com
+# Email preserve parens when folding comments
+Patch50:        CVE-2025-11468-email-hdr-fold-comment.patch
 #### END OF PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake