Fixing bsc#1257044 (CVE-2025-15366)

Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044
(CVE-2025-15366) using gh#python/cpython!143922 and doing basically the
same as the previous patch for IMAP protocol.

CVE-2025-15366-imap-ctrl-chars.patch

@@ -0,0 +1,56 @@
+From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 16 Jan 2026 10:54:09 -0600
+Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
+
+---
+ Lib/imaplib.py                                                           |    4 +++-
+ Lib/test/test_imaplib.py                                                 |    6 ++++++
+ Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst |    1 +
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+Index: Python-3.14.3/Lib/imaplib.py
+===================================================================
+--- Python-3.14.3.orig/Lib/imaplib.py	2026-02-05 18:55:16.834011332 +0100
++++ Python-3.14.3/Lib/imaplib.py	2026-02-05 18:55:22.293721093 +0100
+@@ -131,7 +131,7 @@
+ # We compile these in _mode_xxx.
+ _Literal = br'.*{(?P<size>\d+)}$'
+ _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
+-
++_control_chars = re.compile(b'[\x00-\x1F\x7F]')
+ 
+ 
+ class IMAP4:
+@@ -1108,6 +1108,8 @@
+             if arg is None: continue
+             if isinstance(arg, str):
+                 arg = bytes(arg, self._encoding)
++            if _control_chars.search(arg):
++                raise ValueError("Control characters not allowed in commands")
+             data = data + b' ' + arg
+ 
+         literal = self.literal
+Index: Python-3.14.3/Lib/test/test_imaplib.py
+===================================================================
+--- Python-3.14.3.orig/Lib/test/test_imaplib.py	2026-02-05 18:55:18.192739303 +0100
++++ Python-3.14.3/Lib/test/test_imaplib.py	2026-02-05 18:55:22.294159668 +0100
+@@ -663,6 +663,12 @@
+         self.assertEqual(data[0], b'Returned to authenticated state. (Success)')
+         self.assertEqual(client.state, 'AUTH')
+ 
++    def test_control_characters(self):
++        client, _ = self._setup(SimpleIMAPHandler)
++        for c0 in support.control_characters_c0():
++            with self.assertRaises(ValueError):
++                client.login(f'user{c0}', 'pass')
++
+     # property tests
+ 
+     def test_file_property_should_not_be_accessed(self):
+Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst	2026-02-05 18:55:22.294528513 +0100
+@@ -0,0 +1 @@
++Reject control characters in IMAP commands.

python314.changes

@@ -5,6 +5,9 @@ Thu Feb  5 17:26:23 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
   (CVE-2025-12781) combining gh#python/cpython!141061,
   gh#python/cpython!141128, and gh#python/cpython!141153. All
   `*b64decode` functions should not accept non-altchars.
+- Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044
+  (CVE-2025-15366) using gh#python/cpython!143922 and doing
+  basically the same as the previous patch for IMAP protocol.
 
 -------------------------------------------------------------------
 Thu Feb  5 12:57:09 UTC 2026 - Matej Cepl <mcepl@cepl.eu>

python314.spec

@@ -225,6 +225,9 @@ Patch45:        gh139257-Support-docutils-0.22.patch
 # PATCH-FIX-UPSTREAM CVE-2025-12781-b64decode-alt-chars.patch bsc#1257108 mcepl@suse.com
 # Fix decoding with non-standard Base64 alphabet gh#python/cpython#125346
 Patch46:        CVE-2025-12781-b64decode-alt-chars.patch
+# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com
+# Reject control characters in wsgiref.headers.Headers
+Patch47:        CVE-2025-15366-imap-ctrl-chars.patch
 #### Python 3.14 END OF PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake