diff --git a/CVE-2025-15366-imap-ctrl-chars.patch b/CVE-2025-15366-imap-ctrl-chars.patch new file mode 100644 index 0000000..394c4ef --- /dev/null +++ b/CVE-2025-15366-imap-ctrl-chars.patch @@ -0,0 +1,56 @@ +From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Fri, 16 Jan 2026 10:54:09 -0600 +Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters + +--- + Lib/imaplib.py | 4 +++- + Lib/test/test_imaplib.py | 6 ++++++ + Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 + + 3 files changed, 10 insertions(+), 1 deletion(-) + +Index: Python-3.15.0a3/Lib/imaplib.py +=================================================================== +--- Python-3.15.0a3.orig/Lib/imaplib.py 2026-02-04 10:33:17.226345322 +0100 ++++ Python-3.15.0a3/Lib/imaplib.py 2026-02-04 10:33:45.757970971 +0100 +@@ -129,7 +129,7 @@ + # We compile these in _mode_xxx. + _Literal = br'.*{(?P\d+)}$' + _Untagged_status = br'\* (?P\d+) (?P[A-Z-]+)( (?P.*))?' +- ++_control_chars = re.compile(b'[\x00-\x1F\x7F]') + + + class IMAP4: +@@ -1105,6 +1105,8 @@ + if arg is None: continue + if isinstance(arg, str): + arg = bytes(arg, self._encoding) ++ if _control_chars.search(arg): ++ raise ValueError("Control characters not allowed in commands") + data = data + b' ' + arg + + literal = self.literal +Index: Python-3.15.0a3/Lib/test/test_imaplib.py +=================================================================== +--- Python-3.15.0a3.orig/Lib/test/test_imaplib.py 2026-02-04 10:33:18.559328359 +0100 ++++ Python-3.15.0a3/Lib/test/test_imaplib.py 2026-02-04 10:33:45.758227151 +0100 +@@ -657,6 +657,12 @@ + self.assertEqual(data[0], b'Returned to authenticated state. (Success)') + self.assertEqual(client.state, 'AUTH') + ++ def test_control_characters(self): ++ client, _ = self._setup(SimpleIMAPHandler) ++ for c0 in support.control_characters_c0(): ++ with self.assertRaises(ValueError): ++ client.login(f'user{c0}', 'pass') ++ + # property tests + + def test_file_property_should_not_be_accessed(self): +Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst 2026-02-04 10:33:45.758408531 +0100 +@@ -0,0 +1 @@ ++Reject control characters in IMAP commands. diff --git a/python315.changes b/python315.changes index aff5900..62053e0 100644 --- a/python315.changes +++ b/python315.changes @@ -9,6 +9,9 @@ Wed Feb 4 00:53:37 UTC 2026 - Matej Cepl (CVE-2026-0865) rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. +- Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044 + (CVE-2025-15366) using gh#python/cpython!143922 and doing + basically the same as the previous patch for IMAP protocol. ------------------------------------------------------------------- Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl diff --git a/python315.spec b/python315.spec index 39aeaa2..7b1a9ed 100644 --- a/python315.spec +++ b/python315.spec @@ -244,6 +244,9 @@ Patch47: CVE-2025-12781-b64decode-alt-chars.patch # PATCH-FIX-UPSTREAM CVE-2026-0865-wsgiref-hdrs-EOLs.patch bsc#1257042 mcepl@suse.com # Reject control characters in wsgiref.headers.Headers Patch48: CVE-2026-0865-wsgiref-hdrs-EOLs.patch +# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com +# Reject control characters in wsgiref.headers.Headers +Patch49: CVE-2025-15366-imap-ctrl-chars.patch #### Python 3.15 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake