diff --git a/CVE-2025-15366-imap-ctrl-chars.patch b/CVE-2025-15366-imap-ctrl-chars.patch new file mode 100644 index 0000000..3ca5e70 --- /dev/null +++ b/CVE-2025-15366-imap-ctrl-chars.patch @@ -0,0 +1,56 @@ +From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Fri, 16 Jan 2026 10:54:09 -0600 +Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters + +--- + Lib/imaplib.py | 4 +++- + Lib/test/test_imaplib.py | 6 ++++++ + Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 + + 3 files changed, 10 insertions(+), 1 deletion(-) + +Index: Python-3.14.3/Lib/imaplib.py +=================================================================== +--- Python-3.14.3.orig/Lib/imaplib.py 2026-02-05 18:55:16.834011332 +0100 ++++ Python-3.14.3/Lib/imaplib.py 2026-02-05 18:55:22.293721093 +0100 +@@ -131,7 +131,7 @@ + # We compile these in _mode_xxx. + _Literal = br'.*{(?P\d+)}$' + _Untagged_status = br'\* (?P\d+) (?P[A-Z-]+)( (?P.*))?' +- ++_control_chars = re.compile(b'[\x00-\x1F\x7F]') + + + class IMAP4: +@@ -1108,6 +1108,8 @@ + if arg is None: continue + if isinstance(arg, str): + arg = bytes(arg, self._encoding) ++ if _control_chars.search(arg): ++ raise ValueError("Control characters not allowed in commands") + data = data + b' ' + arg + + literal = self.literal +Index: Python-3.14.3/Lib/test/test_imaplib.py +=================================================================== +--- Python-3.14.3.orig/Lib/test/test_imaplib.py 2026-02-05 18:55:18.192739303 +0100 ++++ Python-3.14.3/Lib/test/test_imaplib.py 2026-02-05 18:55:22.294159668 +0100 +@@ -663,6 +663,12 @@ + self.assertEqual(data[0], b'Returned to authenticated state. (Success)') + self.assertEqual(client.state, 'AUTH') + ++ def test_control_characters(self): ++ client, _ = self._setup(SimpleIMAPHandler) ++ for c0 in support.control_characters_c0(): ++ with self.assertRaises(ValueError): ++ client.login(f'user{c0}', 'pass') ++ + # property tests + + def test_file_property_should_not_be_accessed(self): +Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst 2026-02-05 18:55:22.294528513 +0100 +@@ -0,0 +1 @@ ++Reject control characters in IMAP commands. diff --git a/python314.changes b/python314.changes index 8d12328..bb31142 100644 --- a/python314.changes +++ b/python314.changes @@ -5,6 +5,9 @@ Thu Feb 5 17:26:23 UTC 2026 - Matej Cepl (CVE-2025-12781) combining gh#python/cpython!141061, gh#python/cpython!141128, and gh#python/cpython!141153. All `*b64decode` functions should not accept non-altchars. +- Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044 + (CVE-2025-15366) using gh#python/cpython!143922 and doing + basically the same as the previous patch for IMAP protocol. ------------------------------------------------------------------- Thu Feb 5 12:57:09 UTC 2026 - Matej Cepl diff --git a/python314.spec b/python314.spec index c49b411..548ccfb 100644 --- a/python314.spec +++ b/python314.spec @@ -225,6 +225,9 @@ Patch45: gh139257-Support-docutils-0.22.patch # PATCH-FIX-UPSTREAM CVE-2025-12781-b64decode-alt-chars.patch bsc#1257108 mcepl@suse.com # Fix decoding with non-standard Base64 alphabet gh#python/cpython#125346 Patch46: CVE-2025-12781-b64decode-alt-chars.patch +# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com +# Reject control characters in wsgiref.headers.Headers +Patch47: CVE-2025-15366-imap-ctrl-chars.patch #### Python 3.14 END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake