Fix six CVEs

CVE-2025-11468: preserving parens when folding comments in email headers (bsc#1257029, gh#python/cpython#143935). CVE-2025-11468-email-hdr-fold-comment.patch CVE-2026-0672: rejects control characters in http cookies. (bsc#1257031, gh#python/cpython#143919) CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch CVE-2026-0865: rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. (bsc#1257042, gh#python/cpython#143916) CVE-2026-0865-wsgiref-ctrl-chars.patch CVE-2025-15366: basically the same as the previous patch for IMAP protocol. (bsc#1257044, gh#python/cpython#143921) CVE-2025-15366-imap-ctrl-chars.patch CVE-2025-15282: basically the same as the previous patch for urllib library. (bsc#1257046, gh#python/cpython#143925) CVE-2025-15282-urllib-ctrl-chars.patch CVE-2025-15367: basically the same as the previous patch for poplib library. (bsc#1257041, gh#python/cpython#143923) CVE-2025-15367-poplib-ctrl-chars.patch
2026-02-12 01:12:49 +01:00
parent e900ddc04a
commit 112c8241c9
8 changed files with 614 additions and 0 deletions
--- a/python39.spec
+++ b/python39.spec
@@ -203,6 +203,25 @@ Patch54:        CVE-2025-12084-minidom-quad-search.patch
 # PATCH-FIX-UPSTREAM CVE-2025-13837-plistlib-mailicious-length.patch bsc#1254401 mcepl@suse.com
 # protect against OOM when loading malicious content
 Patch55:        CVE-2025-13837-plistlib-mailicious-length.patch 
+# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com
+# this patch makes things totally awesome
+Patch56:        CVE-2025-11468-email-hdr-fold-comment.patch
+# PATCH-FIX-UPSTREAM CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch bsc#1257031 mcepl@suse.com
+# rejects control characters in http cookies.
+Patch57:        CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
+# PATCH-FIX-UPSTREAM CVE-2026-0865-wsgiref-ctrl-chars.patch bsc#1257042 mcepl@suse.com
+# Reject control characters in wsgiref.headers.Headers
+Patch58:        CVE-2026-0865-wsgiref-ctrl-chars.patch
+# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com
+# Reject control characters in wsgiref.headers.Headers
+Patch59:        CVE-2025-15366-imap-ctrl-chars.patch
+# PATCH-FIX-UPSTREAM CVE-2025-15282-urllib-ctrl-chars.patch bsc#1257046 mcepl@suse.com
+# Reject control characters in urllib
+Patch60:        CVE-2025-15282-urllib-ctrl-chars.patch
+# PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 mcepl@suse.com
+# Reject control characters in poplib
+Patch61:        CVE-2025-15367-poplib-ctrl-chars.patch
+### END OF PATCHES                                                              
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -479,6 +498,13 @@ other applications.
 %patch -p1 -P 54
 %patch -p1 -P 55

+%patch -p1 -P 56
+%patch -p1 -P 57
+%patch -p1 -P 58
+%patch -p1 -P 59
+%patch -p1 -P 60
+%patch -p1 -P 61
+
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac