From ef26610071249818580a53c125f6e6a47f9d4031b859f69784806d09ea2fa10e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= Date: Thu, 5 Feb 2026 20:47:14 +0100 Subject: [PATCH] Fix bsc#1257044 (CVE-2025-15366) Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044 (CVE-2025-15366) using gh#python/cpython!143922 and doing basically the same as the previous patch for IMAP protocol. --- CVE-2025-15366-imap-ctrl-chars.patch | 56 ++++++++++++++++++++++++++++ python313.changes | 3 ++ python313.spec | 3 ++ 3 files changed, 62 insertions(+) create mode 100644 CVE-2025-15366-imap-ctrl-chars.patch diff --git a/CVE-2025-15366-imap-ctrl-chars.patch b/CVE-2025-15366-imap-ctrl-chars.patch new file mode 100644 index 0000000..9777fd3 --- /dev/null +++ b/CVE-2025-15366-imap-ctrl-chars.patch @@ -0,0 +1,56 @@ +From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Fri, 16 Jan 2026 10:54:09 -0600 +Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters + +--- + Lib/imaplib.py | 4 +++- + Lib/test/test_imaplib.py | 6 ++++++ + Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 + + 3 files changed, 10 insertions(+), 1 deletion(-) + +Index: Python-3.13.11/Lib/imaplib.py +=================================================================== +--- Python-3.13.11.orig/Lib/imaplib.py 2025-12-05 17:06:33.000000000 +0100 ++++ Python-3.13.11/Lib/imaplib.py 2026-02-05 21:42:59.341114857 +0100 +@@ -132,7 +132,7 @@ + # We compile these in _mode_xxx. + _Literal = br'.*{(?P\d+)}$' + _Untagged_status = br'\* (?P\d+) (?P[A-Z-]+)( (?P.*))?' +- ++_control_chars = re.compile(b'[\x00-\x1F\x7F]') + + + class IMAP4: +@@ -1000,6 +1000,8 @@ + if arg is None: continue + if isinstance(arg, str): + arg = bytes(arg, self._encoding) ++ if _control_chars.search(arg): ++ raise ValueError("Control characters not allowed in commands") + data = data + b' ' + arg + + literal = self.literal +Index: Python-3.13.11/Lib/test/test_imaplib.py +=================================================================== +--- Python-3.13.11.orig/Lib/test/test_imaplib.py 2025-12-05 17:06:33.000000000 +0100 ++++ Python-3.13.11/Lib/test/test_imaplib.py 2026-02-05 21:42:59.341692695 +0100 +@@ -548,6 +548,12 @@ + self.assertEqual(data[0], b'Returned to authenticated state. (Success)') + self.assertEqual(client.state, 'AUTH') + ++ def test_control_characters(self): ++ client, _ = self._setup(SimpleIMAPHandler) ++ for c0 in support.control_characters_c0(): ++ with self.assertRaises(ValueError): ++ client.login(f'user{c0}', 'pass') ++ + + class NewIMAPTests(NewIMAPTestsMixin, unittest.TestCase): + imap_class = imaplib.IMAP4 +Index: Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst 2026-02-05 21:42:59.342115872 +0100 +@@ -0,0 +1 @@ ++Reject control characters in IMAP commands. diff --git a/python313.changes b/python313.changes index a4718b3..bf7f6a4 100644 --- a/python313.changes +++ b/python313.changes @@ -5,6 +5,9 @@ Thu Feb 5 18:57:27 UTC 2026 - Matej Cepl (CVE-2026-0865) rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. +- Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044 + (CVE-2025-15366) using gh#python/cpython!143922 and doing + basically the same as the previous patch for IMAP protocol. ------------------------------------------------------------------- Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl diff --git a/python313.spec b/python313.spec index c8c0fbe..9797ff9 100644 --- a/python313.spec +++ b/python313.spec @@ -251,6 +251,9 @@ Patch51: CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch # PATCH-FIX-UPSTREAM CVE-2026-0865-wsgiref-ctrl-chars.patch bsc#1257042 mcepl@suse.com # Reject control characters in wsgiref.headers.Headers Patch52: CVE-2026-0865-wsgiref-ctrl-chars.patch +# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com +# Reject control characters in wsgiref.headers.Headers +Patch53: CVE-2025-15366-imap-ctrl-chars.patch #### END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake