diff --git a/CVE-2025-11468-email-hdr-fold-comment.patch b/CVE-2025-11468-email-hdr-fold-comment.patch new file mode 100644 index 0000000..dc05af3 --- /dev/null +++ b/CVE-2025-11468-email-hdr-fold-comment.patch @@ -0,0 +1,97 @@ +From 0b64fd5f8854703eb47ed89a3b0d472a13d0d651 Mon Sep 17 00:00:00 2001 +From: Denis Ledoux +Date: Thu, 6 Nov 2025 17:42:34 +0100 +Subject: [PATCH 1/5] email: correctly indent with a least one space folded + comments + +--- + Lib/email/_header_value_parser.py | 15 ++++++ + Lib/test/test_email/test__header_value_parser.py | 23 ++++++++++ + Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst | 6 ++ + 3 files changed, 43 insertions(+), 1 deletion(-) + +Index: Python-3.15.0a3/Lib/email/_header_value_parser.py +=================================================================== +--- Python-3.15.0a3.orig/Lib/email/_header_value_parser.py 2026-01-29 13:44:51.429261309 +0100 ++++ Python-3.15.0a3/Lib/email/_header_value_parser.py 2026-01-29 13:45:04.109091639 +0100 +@@ -101,6 +101,12 @@ + return str(value).replace('\\', '\\\\').replace('"', '\\"') + + ++def make_parenthesis_pairs(value): ++ """Escape parenthesis and backslash for use within a comment.""" ++ return str(value).replace('\\', '\\\\') \ ++ .replace('(', '\\(').replace(')', '\\)') ++ ++ + def quote_string(value): + escaped = make_quoted_pairs(value) + return f'"{escaped}"' +@@ -943,7 +949,7 @@ + return ' ' + + def startswith_fws(self): +- return True ++ return self and self[0] in WSP + + + class ValueTerminal(Terminal): +@@ -2963,6 +2969,13 @@ + [ValueTerminal(make_quoted_pairs(p), 'ptext') + for p in newparts] + + [ValueTerminal('"', 'ptext')]) ++ if part.token_type == 'comment': ++ newparts = ( ++ [ValueTerminal('(', 'ptext')] + ++ [ValueTerminal(make_parenthesis_pairs(p), 'ptext') ++ if p.token_type == 'ptext' else p ++ for p in newparts] + ++ [ValueTerminal(')', 'ptext')]) + if not part.as_ew_allowed: + wrap_as_ew_blocked += 1 + newparts.append(end_ew_not_allowed) +Index: Python-3.15.0a3/Lib/test/test_email/test__header_value_parser.py +=================================================================== +--- Python-3.15.0a3.orig/Lib/test/test_email/test__header_value_parser.py 2026-01-29 13:44:53.065308861 +0100 ++++ Python-3.15.0a3/Lib/test/test_email/test__header_value_parser.py 2026-01-29 13:45:04.109478618 +0100 +@@ -3294,6 +3294,29 @@ + with self.subTest(to=to): + self._test(parser.get_address_list(to)[0], folded, policy=policy) + ++ def test_address_list_with_long_unwrapable_comment(self): ++ policy = self.policy.clone(max_line_length=40) ++ cases = [ ++ # (to, folded) ++ ('(loremipsumdolorsitametconsecteturadipi)', ++ '(loremipsumdolorsitametconsecteturadipi)\n'), ++ ('(loremipsumdolorsitametconsecteturadipi)', ++ '(loremipsumdolorsitametconsecteturadipi)\n'), ++ ('(loremipsum dolorsitametconsecteturadipi)', ++ '(loremipsum dolorsitametconsecteturadipi)\n'), ++ ('(loremipsum dolorsitametconsecteturadipi)', ++ '(loremipsum\n dolorsitametconsecteturadipi)\n'), ++ ('(Escaped \\( \\) chars \\\\ in comments stay escaped)', ++ '(Escaped \\( \\) chars \\\\ in comments stay\n escaped)\n'), ++ ('((loremipsum)(loremipsum)(loremipsum)(loremipsum))', ++ '((loremipsum)(loremipsum)(loremipsum)(loremipsum))\n'), ++ ('((loremipsum)(loremipsum)(loremipsum) (loremipsum))', ++ '((loremipsum)(loremipsum)(loremipsum)\n (loremipsum))\n'), ++ ] ++ for (to, folded) in cases: ++ with self.subTest(to=to): ++ self._test(parser.get_address_list(to)[0], folded, policy=policy) ++ + # XXX Need tests with comments on various sides of a unicode token, + # and with unicode tokens in the comments. Spaces inside the quotes + # currently don't do the right thing. +Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst 2026-01-29 13:45:04.109846601 +0100 +@@ -0,0 +1,6 @@ ++Fixed a bug in the folding of comments when flattening an email message ++using a modern email policy. Comments consisting of a very long sequence of ++non-foldable characters could trigger a forced line wrap that omitted the ++required leading space on the continuation line, causing the remainder of ++the comment to be interpreted as a new header field. This enabled header ++injection with carefully crafted inputs. diff --git a/python315.changes b/python315.changes index 0b43989..68e9971 100644 --- a/python315.changes +++ b/python315.changes @@ -4,6 +4,9 @@ Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl - Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is a follow-up to the previous fix of CVE-2024-6923 further encoding EOL possibly hidden in email headers (bsc#1257181). +- Add CVE-2025-11468-email-hdr-fold-comment.patch preserving + parens when folding comments in email headers (bsc#1257029, + CVE-2025-11468). ------------------------------------------------------------------- Wed Jan 21 18:02:37 UTC 2026 - Matej Cepl diff --git a/python315.spec b/python315.spec index 5e909a3..044a36f 100644 --- a/python315.spec +++ b/python315.spec @@ -232,6 +232,9 @@ Patch43: longer-time-test_thread_time.patch # Encode newlines in headers when using ByteGenerator # patch from gh#python/cpython#144125 Patch44: CVE-2024-6923-follow-up-EOL-email-headers.patch +# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com +# Email preserve parens when folding comments +Patch45: CVE-2025-11468-email-hdr-fold-comment.patch #### Python 3.15 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake