From 3312e86ee4a2708afdaa23ebdcf981dbd3c3306d7f68bb406a9e3f321c0a4fa6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Wed, 4 Feb 2026 20:54:27 +0100
Subject: [PATCH] Fix bsc#1257041 (CVE-2025-15367)

Add CVE-2025-15367-poplib-ctrl-chars.patch fixing bsc#1257041
(CVE-2025-15367) using gh#python/cpython!143924 and doing basically the
same as the previous patch for poplib library.
---
 .gitignore                             |  1 +
 CVE-2025-15367-poplib-ctrl-chars.patch | 56 ++++++++++++++++++++++++++
 python315.changes                      |  3 ++
 python315.spec                         |  3 ++
 4 files changed, 63 insertions(+)
 create mode 100644 CVE-2025-15367-poplib-ctrl-chars.patch

diff --git a/.gitignore b/.gitignore
index 003548d..b1cb106 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 *.obscpio
+*.orig
 *.osc
 _build.*
 .pbuild
diff --git a/CVE-2025-15367-poplib-ctrl-chars.patch b/CVE-2025-15367-poplib-ctrl-chars.patch
new file mode 100644
index 0000000..f96a86b
--- /dev/null
+++ b/CVE-2025-15367-poplib-ctrl-chars.patch
@@ -0,0 +1,56 @@
+From b6f733b285b1c4f27dacb5c2e1f292c914e8b933 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 16 Jan 2026 10:54:09 -0600
+Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
+
+---
+ Lib/poplib.py                                                            |    2 ++
+ Lib/test/test_poplib.py                                                  |    8 ++++++++
+ Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst |    1 +
+ 3 files changed, 11 insertions(+)
+
+Index: Python-3.15.0a3/Lib/poplib.py
+===================================================================
+--- Python-3.15.0a3.orig/Lib/poplib.py	2026-02-04 20:53:38.757990472 +0100
++++ Python-3.15.0a3/Lib/poplib.py	2026-02-04 20:53:46.764343586 +0100
+@@ -122,6 +122,8 @@
+     def _putcmd(self, line):
+         if self._debugging: print('*cmd*', repr(line))
+         line = bytes(line, self.encoding)
++        if re.search(b'[\x00-\x1F\x7F]', line):
++            raise ValueError('Control characters not allowed in commands')
+         self._putline(line)
+ 
+ 
+Index: Python-3.15.0a3/Lib/test/test_poplib.py
+===================================================================
+--- Python-3.15.0a3.orig/Lib/test/test_poplib.py	2026-02-04 20:53:40.553673802 +0100
++++ Python-3.15.0a3/Lib/test/test_poplib.py	2026-02-04 20:53:46.764523568 +0100
+@@ -17,6 +17,7 @@
+ from test.support import threading_helper
+ from test.support import asynchat
+ from test.support import asyncore
++from test.support import control_characters_c0
+ 
+ 
+ test_support.requires_working_socket(module=True)
+@@ -395,6 +396,13 @@
+         self.assertIsNone(self.client.sock)
+         self.assertIsNone(self.client.file)
+ 
++    def test_control_characters(self):
++        for c0 in control_characters_c0():
++            with self.assertRaises(ValueError):
++                self.client.user(f'user{c0}')
++            with self.assertRaises(ValueError):
++                self.client.pass_(f'{c0}pass')
++
+     @requires_ssl
+     def test_stls_capa(self):
+         capa = self.client.capa()
+Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst	2026-02-04 20:53:46.764674776 +0100
+@@ -0,0 +1 @@
++Reject control characters in POP3 commands.
diff --git a/python315.changes b/python315.changes
index b2aab0c..445897f 100644
--- a/python315.changes
+++ b/python315.changes
@@ -15,6 +15,9 @@ Wed Feb  4 00:53:37 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
 - Add CVE-2025-15282-urllib-ctrl-chars.patch fixing bsc#1257046
   (CVE-2025-15282) using gh#python/cpython!143926 and doing
   basically the same as the previous patch for urllib library.
+- Add CVE-2025-15367-poplib-ctrl-chars.patch fixing bsc#1257041
+  (CVE-2025-15367) using gh#python/cpython!143924 and doing
+  basically the same as the previous patch for poplib library.
 
 -------------------------------------------------------------------
 Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
diff --git a/python315.spec b/python315.spec
index ddc53a2..218184c 100644
--- a/python315.spec
+++ b/python315.spec
@@ -250,6 +250,9 @@ Patch49:        CVE-2025-15366-imap-ctrl-chars.patch
 # PATCH-FIX-UPSTREAM CVE-2025-15282-urllib-ctrl-chars.patch bsc#1257046 mcepl@suse.com
 # Reject control characters in wsgiref.headers.Headers
 Patch50:        CVE-2025-15282-urllib-ctrl-chars.patch
+# PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 mcepl@suse.com
+# Reject control characters in poplib
+Patch51:        CVE-2025-15367-poplib-ctrl-chars.patch
 #### Python 3.15 DEVELOPMENT PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake