From ab9641870bf622b3b02aa7c0a3cad904ee852b6a3bf7f71182e907b7b3cf1fb6 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 12 Jul 2023 16:31:40 +0000 Subject: [PATCH] Fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=133 --- CVE-2023-27043-email-parsing-errors.patch | 38 ++++++++++++++--------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/CVE-2023-27043-email-parsing-errors.patch b/CVE-2023-27043-email-parsing-errors.patch index 24e6079..072c332 100644 --- a/CVE-2023-27043-email-parsing-errors.patch +++ b/CVE-2023-27043-email-parsing-errors.patch @@ -1,12 +1,14 @@ --- Doc/library/email.utils.rst | 26 +++ - Lib/email/utils.py | 63 +++++++ + Lib/email/utils.py | 62 ++++++- Lib/test/test_email/test_email.py | 81 +++++++++- Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4 - 4 files changed, 164 insertions(+), 10 deletions(-) + 4 files changed, 163 insertions(+), 10 deletions(-) ---- a/Doc/library/email.utils.rst -+++ b/Doc/library/email.utils.rst +Index: Python-3.8.17/Doc/library/email.utils.rst +=================================================================== +--- Python-3.8.17.orig/Doc/library/email.utils.rst ++++ Python-3.8.17/Doc/library/email.utils.rst @@ -67,6 +67,11 @@ of the new API. *email address* parts. Returns a tuple of that information, unless the parse fails, in which case a 2-tuple of ``('', '')`` is returned. @@ -54,12 +56,14 @@ .. function:: parsedate(date) ---- a/Lib/email/utils.py -+++ b/Lib/email/utils.py -@@ -106,12 +106,54 @@ def formataddr(pair, charset='utf-8'): +Index: Python-3.8.17/Lib/email/utils.py +=================================================================== +--- Python-3.8.17.orig/Lib/email/utils.py ++++ Python-3.8.17/Lib/email/utils.py +@@ -105,13 +105,54 @@ def formataddr(pair, charset='utf-8'): + return '%s%s%s <%s>' % (quotes, name, quotes, address) return address - +def _pre_parse_validation(email_header_fields): + accepted_values = [] + for v in email_header_fields: @@ -81,11 +85,11 @@ + accepted_values.append(v) + + return accepted_values -+ + def getaddresses(fieldvalues): - """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" -- all = COMMASPACE.join(str(v) for v in fieldvalues) +- all = COMMASPACE.join(fieldvalues) + """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. + + When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in @@ -114,7 +118,7 @@ def _format_timetuple_and_zone(timetuple, zone): -@@ -209,9 +251,18 @@ def parseaddr(addr): +@@ -209,9 +250,18 @@ def parseaddr(addr): Return a tuple of realname and email address, unless the parse fails, in which case return a 2-tuple of ('', ''). """ @@ -136,9 +140,11 @@ return addrs[0] ---- a/Lib/test/test_email/test_email.py -+++ b/Lib/test/test_email/test_email.py -@@ -3263,15 +3263,90 @@ Foo +Index: Python-3.8.17/Lib/test/test_email/test_email.py +=================================================================== +--- Python-3.8.17.orig/Lib/test/test_email/test_email.py ++++ Python-3.8.17/Lib/test/test_email/test_email.py +@@ -3248,15 +3248,90 @@ Foo [('Al Person', 'aperson@dom.ain'), ('Bud Person', 'bperson@dom.ain')]) @@ -232,8 +238,10 @@ def test_getaddresses_embedded_comment(self): """Test proper handling of a nested comment""" +Index: Python-3.8.17/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst +=================================================================== --- /dev/null -+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst ++++ Python-3.8.17/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst @@ -0,0 +1,4 @@ +CVE-2023-27043: Prevent :func:`email.utils.parseaddr` +and :func:`email.utils.getaddresses` from returning the realname portion of an