From 3a0658eda43cd8c3eeac0838a1b2980fc4402a050f83f8c3a59b63bcc8e5a7f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Thu, 29 Jan 2026 13:46:47 +0100
Subject: [PATCH] Add CVE-2025-11468-email-hdr-fold-comment.patch

Preserving parens when folding comments in email headers (bsc#1257029,
CVE-2025-11468).
---
 CVE-2025-11468-email-hdr-fold-comment.patch | 109 ++++++++++++++++++++
 python314.changes                           |   3 +
 python314.spec                              |   5 +-
 3 files changed, 116 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-11468-email-hdr-fold-comment.patch

diff --git a/CVE-2025-11468-email-hdr-fold-comment.patch b/CVE-2025-11468-email-hdr-fold-comment.patch
new file mode 100644
index 0000000..e9b79e3
--- /dev/null
+++ b/CVE-2025-11468-email-hdr-fold-comment.patch
@@ -0,0 +1,109 @@
+From df45bd1aafc3b6792d43661207d2b7eb3a14d214 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Mon, 19 Jan 2026 06:38:22 -0600
+Subject: [PATCH] gh-143935: Email preserve parens when folding comments
+ (GH-143936)
+
+Fix a bug in the folding of comments when flattening an email message
+using a modern email policy. Comments consisting of a very long sequence of
+non-foldable characters could trigger a forced line wrap that omitted the
+required leading space on the continuation line, causing the remainder of
+the comment to be interpreted as a new header field. This enabled header
+injection with carefully crafted inputs.
+(cherry picked from commit 17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Denis Ledoux <dle@odoo.com>
+---
+ Lib/email/_header_value_parser.py             | 15 +++++++++++-
+ .../test_email/test__header_value_parser.py   | 23 +++++++++++++++++++
+ ...-01-16-14-40-31.gh-issue-143935.U2YtKl.rst |  6 +++++
+ 3 files changed, 43 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
+
+diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
+index 68c2cf9585c5b4..51727688c059ed 100644
+--- a/Lib/email/_header_value_parser.py
++++ b/Lib/email/_header_value_parser.py
+@@ -101,6 +101,12 @@ def make_quoted_pairs(value):
+     return str(value).replace('\\', '\\\\').replace('"', '\\"')
+ 
+ 
++def make_parenthesis_pairs(value):
++    """Escape parenthesis and backslash for use within a comment."""
++    return str(value).replace('\\', '\\\\') \
++        .replace('(', '\\(').replace(')', '\\)')
++
++
+ def quote_string(value):
+     escaped = make_quoted_pairs(value)
+     return f'"{escaped}"'
+@@ -939,7 +945,7 @@ def value(self):
+         return ' '
+ 
+     def startswith_fws(self):
+-        return True
++        return self and self[0] in WSP
+ 
+ 
+ class ValueTerminal(Terminal):
+@@ -2959,6 +2965,13 @@ def _refold_parse_tree(parse_tree, *, policy):
+                     [ValueTerminal(make_quoted_pairs(p), 'ptext')
+                      for p in newparts] +
+                     [ValueTerminal('"', 'ptext')])
++            if part.token_type == 'comment':
++                newparts = (
++                    [ValueTerminal('(', 'ptext')] +
++                    [ValueTerminal(make_parenthesis_pairs(p), 'ptext')
++                     if p.token_type == 'ptext' else p
++                     for p in newparts] +
++                    [ValueTerminal(')', 'ptext')])
+             if not part.as_ew_allowed:
+                 wrap_as_ew_blocked += 1
+                 newparts.append(end_ew_not_allowed)
+diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py
+index 426ec4644e3096..e28fe3892015b9 100644
+--- a/Lib/test/test_email/test__header_value_parser.py
++++ b/Lib/test/test_email/test__header_value_parser.py
+@@ -3294,6 +3294,29 @@ def test_address_list_with_specials_in_long_quoted_string(self):
+             with self.subTest(to=to):
+                 self._test(parser.get_address_list(to)[0], folded, policy=policy)
+ 
++    def test_address_list_with_long_unwrapable_comment(self):
++        policy = self.policy.clone(max_line_length=40)
++        cases = [
++            # (to, folded)
++            ('(loremipsumdolorsitametconsecteturadipi)<spy@example.org>',
++             '(loremipsumdolorsitametconsecteturadipi)<spy@example.org>\n'),
++            ('<spy@example.org>(loremipsumdolorsitametconsecteturadipi)',
++             '<spy@example.org>(loremipsumdolorsitametconsecteturadipi)\n'),
++            ('(loremipsum dolorsitametconsecteturadipi)<spy@example.org>',
++             '(loremipsum dolorsitametconsecteturadipi)<spy@example.org>\n'),
++             ('<spy@example.org>(loremipsum dolorsitametconsecteturadipi)',
++             '<spy@example.org>(loremipsum\n dolorsitametconsecteturadipi)\n'),
++            ('(Escaped \\( \\) chars \\\\ in comments stay escaped)<spy@example.org>',
++             '(Escaped \\( \\) chars \\\\ in comments stay\n escaped)<spy@example.org>\n'),
++            ('((loremipsum)(loremipsum)(loremipsum)(loremipsum))<spy@example.org>',
++             '((loremipsum)(loremipsum)(loremipsum)(loremipsum))<spy@example.org>\n'),
++            ('((loremipsum)(loremipsum)(loremipsum) (loremipsum))<spy@example.org>',
++             '((loremipsum)(loremipsum)(loremipsum)\n (loremipsum))<spy@example.org>\n'),
++        ]
++        for (to, folded) in cases:
++            with self.subTest(to=to):
++                self._test(parser.get_address_list(to)[0], folded, policy=policy)
++
+     # XXX Need tests with comments on various sides of a unicode token,
+     # and with unicode tokens in the comments.  Spaces inside the quotes
+     # currently don't do the right thing.
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
+new file mode 100644
+index 00000000000000..c3d864936884ac
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
+@@ -0,0 +1,6 @@
++Fixed a bug in the folding of comments when flattening an email message
++using a modern email policy. Comments consisting of a very long sequence of
++non-foldable characters could trigger a forced line wrap that omitted the
++required leading space on the continuation line, causing the remainder of
++the comment to be interpreted as a new header field. This enabled header
++injection with carefully crafted inputs.
diff --git a/python314.changes b/python314.changes
index 9059a6a..896d0b5 100644
--- a/python314.changes
+++ b/python314.changes
@@ -4,6 +4,9 @@ Thu Jan 29 12:58:15 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
 - Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is
   a follow-up to the previous fix of CVE-2024-6923 further
   encoding EOL possibly hidden in email headers (bsc#1257181).
+- Add CVE-2025-11468-email-hdr-fold-comment.patch preserving
+  parens when folding comments in email headers (bsc#1257029,
+  CVE-2025-11468).
 
 -------------------------------------------------------------------
 Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
diff --git a/python314.spec b/python314.spec
index fa83ece..86f52fc 100644
--- a/python314.spec
+++ b/python314.spec
@@ -228,7 +228,10 @@ Patch45:        gh139257-Support-docutils-0.22.patch
 # Encode newlines in headers when using ByteGenerator
 # patch from gh#python/cpython#144125
 Patch46:        CVE-2024-6923-follow-up-EOL-email-headers.patch
-#### Python 3.14 DEVELOPMENT PATCHES
+# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com
+# Email preserve parens when folding comments
+Patch47:        CVE-2025-11468-email-hdr-fold-comment.patch
+#### Python 3.14 END OF PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes