diff --git a/CVE-2024-6923-follow-up-EOL-email-headers.patch b/CVE-2024-6923-follow-up-EOL-email-headers.patch new file mode 100644 index 0000000..0491c18 --- /dev/null +++ b/CVE-2024-6923-follow-up-EOL-email-headers.patch @@ -0,0 +1,104 @@ +From 5a8bfd878f086e28f0849bbc3970ad92f6ba37dc Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Fri, 23 Jan 2026 08:59:35 -0600 +Subject: [PATCH] gh-144125: email: verify headers are sound in BytesGenerator + (cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413) + +Co-authored-by: Seth Michael Larson +Co-authored-by: Denis Ledoux +Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com> +Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com> +Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com> +--- + Lib/email/generator.py | 12 +++++++++- + Lib/test/test_email/test_generator.py | 4 ++- + Lib/test/test_email/test_policy.py | 6 ++++- + Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst | 4 +++ + 4 files changed, 23 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst + +Index: Python-3.14.2/Lib/email/generator.py +=================================================================== +--- Python-3.14.2.orig/Lib/email/generator.py 2026-01-28 22:15:51.075267925 +0100 ++++ Python-3.14.2/Lib/email/generator.py 2026-01-28 22:15:56.251194626 +0100 +@@ -22,6 +22,7 @@ + NLCRE = re.compile(r'\r\n|\r|\n') + fcre = re.compile(r'^From ', re.MULTILINE) + NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') ++NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') + + + class Generator: +@@ -429,7 +430,16 @@ + # This is almost the same as the string version, except for handling + # strings with 8bit bytes. + for h, v in msg.raw_items(): +- self._fp.write(self.policy.fold_binary(h, v)) ++ folded = self.policy.fold_binary(h, v) ++ if self.policy.verify_generated_headers: ++ linesep = self.policy.linesep.encode() ++ if not folded.endswith(linesep): ++ raise HeaderWriteError( ++ f'folded header does not end with {linesep!r}: {folded!r}') ++ if NEWLINE_WITHOUT_FWSP_BYTES.search(folded.removesuffix(linesep)): ++ raise HeaderWriteError( ++ f'folded header contains newline: {folded!r}') ++ self._fp.write(folded) + # A blank line always separates headers from body + self.write(self._NL) + +Index: Python-3.14.2/Lib/test/test_email/test_generator.py +=================================================================== +--- Python-3.14.2.orig/Lib/test/test_email/test_generator.py 2026-01-28 22:15:52.693627763 +0100 ++++ Python-3.14.2/Lib/test/test_email/test_generator.py 2026-01-28 22:15:56.251344799 +0100 +@@ -313,7 +313,7 @@ + self.assertEqual(s.getvalue(), self.typ(expected)) + + def test_verify_generated_headers(self): +- """gh-121650: by default the generator prevents header injection""" ++ # gh-121650: by default the generator prevents header injection + class LiteralHeader(str): + name = 'Header' + def fold(self, **kwargs): +@@ -334,6 +334,8 @@ + + with self.assertRaises(email.errors.HeaderWriteError): + message.as_string() ++ with self.assertRaises(email.errors.HeaderWriteError): ++ message.as_bytes() + + + class TestBytesGenerator(TestGeneratorBase, TestEmailBase): +Index: Python-3.14.2/Lib/test/test_email/test_policy.py +=================================================================== +--- Python-3.14.2.orig/Lib/test/test_email/test_policy.py 2026-01-28 22:15:52.703671956 +0100 ++++ Python-3.14.2/Lib/test/test_email/test_policy.py 2026-01-28 22:15:56.251499922 +0100 +@@ -296,7 +296,7 @@ + policy.fold("Subject", subject) + + def test_verify_generated_headers(self): +- """Turning protection off allows header injection""" ++ # Turning protection off allows header injection + policy = email.policy.default.clone(verify_generated_headers=False) + for text in ( + 'Header: Value\r\nBad: Injection\r\n', +@@ -319,6 +319,10 @@ + message.as_string(), + f"{text}\nBody", + ) ++ self.assertEqual( ++ message.as_bytes(), ++ f"{text}\nBody".encode(), ++ ) + + # XXX: Need subclassing tests. + # For adding subclassed objects, make sure the usual rules apply (subclass +Index: Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst 2026-01-28 22:15:56.251667056 +0100 +@@ -0,0 +1,4 @@ ++:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers ++that are unsafely folded or delimited; see ++:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas ++Bloemsaat and Petr Viktorin in :gh:`121650`). diff --git a/python314.changes b/python314.changes index 71bbd59..9059a6a 100644 --- a/python314.changes +++ b/python314.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Jan 29 12:58:15 UTC 2026 - Matej Cepl + +- Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is + a follow-up to the previous fix of CVE-2024-6923 further + encoding EOL possibly hidden in email headers (bsc#1257181). + ------------------------------------------------------------------- Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl diff --git a/python314.spec b/python314.spec index 59f8074..fa83ece 100644 --- a/python314.spec +++ b/python314.spec @@ -224,6 +224,10 @@ Patch41: bsc1243155-sphinx-non-determinism.patch Patch44: gh138131-exclude-pycache-from-digest.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com Patch45: gh139257-Support-docutils-0.22.patch +# PATCH-FIX-UPSTREAM CVE-2024-6923-follow-up-EOL-email-headers.patch bsc#1257181 mcepl@suse.com +# Encode newlines in headers when using ByteGenerator +# patch from gh#python/cpython#144125 +Patch46: CVE-2024-6923-follow-up-EOL-email-headers.patch #### Python 3.14 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake