Fix patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=133
2023-07-12 16:31:40 +00:00 · 2023-07-12 16:31:40 +00:00 · ab9641870b
commit ab9641870b
parent ad4c4c8221
1 changed files with 23 additions and 15 deletions
--- a/CVE-2023-27043-email-parsing-errors.patch
+++ b/CVE-2023-27043-email-parsing-errors.patch
@ -1,12 +1,14 @@
 ---
 Doc/library/email.utils.rst                                              |   26 +++
- Lib/email/utils.py                                                       |   63 +++++++
+ Lib/email/utils.py                                                       |   62 ++++++-
 Lib/test/test_email/test_email.py                                        |   81 +++++++++-
 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst |    4 
- 4 files changed, 164 insertions(+), 10 deletions(-)
+ 4 files changed, 163 insertions(+), 10 deletions(-)
--- a/Doc/library/email.utils.rst
+Index: Python-3.8.17/Doc/library/email.utils.rst
-+++ b/Doc/library/email.utils.rst
+===================================================================
 --- Python-3.8.17.orig/Doc/library/email.utils.rst
 +++ Python-3.8.17/Doc/library/email.utils.rst
@@ -67,6 +67,11 @@ of the new API.
    *email address* parts.  Returns a tuple of that information, unless the parse
    fails, in which case a 2-tuple of ``('', '')`` is returned.
@ -54,12 +56,14 @@
 .. function:: parsedate(date)
--- a/Lib/email/utils.py
+Index: Python-3.8.17/Lib/email/utils.py
-+++ b/Lib/email/utils.py
+===================================================================
-@@ -106,12 +106,54 @@ def formataddr(pair, charset='utf-8'):
+--- Python-3.8.17.orig/Lib/email/utils.py
 +++ Python-3.8.17/Lib/email/utils.py
@@ -105,13 +105,54 @@ def formataddr(pair, charset='utf-8'):
             return '%s%s%s <%s>' % (quotes, name, quotes, address)
     return address
 +def _pre_parse_validation(email_header_fields):
 +    accepted_values = []
 +    for v in email_header_fields:
@ -81,11 +85,11 @@
 +        accepted_values.append(v)
 +
 +    return accepted_values
-+
+ 
 def getaddresses(fieldvalues):
 -    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
-    all = COMMASPACE.join(str(v) for v in fieldvalues)
+-    all = COMMASPACE.join(fieldvalues)
 +    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
 +
 +    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
@ -114,7 +118,7 @@
 def _format_timetuple_and_zone(timetuple, zone):
-@@ -209,9 +251,18 @@ def parseaddr(addr):
+@@ -209,9 +250,18 @@ def parseaddr(addr):
     Return a tuple of realname and email address, unless the parse fails, in
     which case return a 2-tuple of ('', '').
     """
@ -136,9 +140,11 @@
     return addrs[0]
--- a/Lib/test/test_email/test_email.py
+Index: Python-3.8.17/Lib/test/test_email/test_email.py
-+++ b/Lib/test/test_email/test_email.py
+===================================================================
-@@ -3263,15 +3263,90 @@ Foo
+--- Python-3.8.17.orig/Lib/test/test_email/test_email.py
 +++ Python-3.8.17/Lib/test/test_email/test_email.py
@@ -3248,15 +3248,90 @@ Foo
            [('Al Person', 'aperson@dom.ain'),
             ('Bud Person', 'bperson@dom.ain')])
@ -232,8 +238,10 @@
     def test_getaddresses_embedded_comment(self):
         """Test proper handling of a nested comment"""
 Index: Python-3.8.17/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
 ===================================================================
 --- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
+++ Python-3.8.17/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -0,0 +1,4 @@
 +CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
 +and :func:`email.utils.getaddresses` from returning the realname portion of an