Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python314 for openSUSE:Factory checked in at 2026-01-29 18:59:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python314 (Old) and /work/SRC/openSUSE:Factory/.python314.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python314" Thu Jan 29 18:59:26 2026 rev:31 rq:1329832 version:3.14.2 Changes: -------- --- /work/SRC/openSUSE:Factory/python314/python314.changes 2026-01-06 17:46:26.158197102 +0100 +++ /work/SRC/openSUSE:Factory/.python314.new.1995/python314.changes 2026-01-29 18:59:28.121707869 +0100 @@ -1,0 +2,10 @@ +Thu Jan 29 12:58:15 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is + a follow-up to the previous fix of CVE-2024-6923 further + encoding EOL possibly hidden in email headers (bsc#1257181). +- Add CVE-2025-11468-email-hdr-fold-comment.patch preserving + parens when folding comments in email headers (bsc#1257029, + CVE-2025-11468). + +------------------------------------------------------------------- @@ -4675 +4685,2 @@ - Petr Viktorin in gh-121650.; CVE-2024-6923, bsc#1228780) + Petr Viktorin in gh-121650.; CVE-2024-6923, bsc#1228780, + bsc#1257181) New: ---- CVE-2024-6923-follow-up-EOL-email-headers.patch CVE-2025-11468-email-hdr-fold-comment.patch ----------(New B)---------- New: - Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is a follow-up to the previous fix of CVE-2024-6923 further New: encoding EOL possibly hidden in email headers (bsc#1257181). - Add CVE-2025-11468-email-hdr-fold-comment.patch preserving parens when folding comments in email headers (bsc#1257029, ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python314.spec ++++++ --- /var/tmp/diff_new_pack.3H7uTo/_old 2026-01-29 18:59:29.913783732 +0100 +++ /var/tmp/diff_new_pack.3H7uTo/_new 2026-01-29 18:59:29.913783732 +0100 @@ -224,7 +224,14 @@ Patch44: gh138131-exclude-pycache-from-digest.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 [email protected] Patch45: gh139257-Support-docutils-0.22.patch -#### Python 3.14 DEVELOPMENT PATCHES +# PATCH-FIX-UPSTREAM CVE-2024-6923-follow-up-EOL-email-headers.patch bsc#1257181 [email protected] +# Encode newlines in headers when using ByteGenerator +# patch from gh#python/cpython#144125 +Patch46: CVE-2024-6923-follow-up-EOL-email-headers.patch +# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 [email protected] +# Email preserve parens when folding comments +Patch47: CVE-2025-11468-email-hdr-fold-comment.patch +#### Python 3.14 END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes ++++++ CVE-2024-6923-follow-up-EOL-email-headers.patch ++++++ >From 5a8bfd878f086e28f0849bbc3970ad92f6ba37dc Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <[email protected]> Date: Fri, 23 Jan 2026 08:59:35 -0600 Subject: [PATCH] gh-144125: email: verify headers are sound in BytesGenerator (cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413) Co-authored-by: Seth Michael Larson <[email protected]> Co-authored-by: Denis Ledoux <[email protected]> Co-authored-by: Denis Ledoux <[email protected]> Co-authored-by: Petr Viktorin <[email protected]> Co-authored-by: Bas Bloemsaat <[email protected]> --- Lib/email/generator.py | 12 +++++++++- Lib/test/test_email/test_generator.py | 4 ++- Lib/test/test_email/test_policy.py | 6 ++++- Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst | 4 +++ 4 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst Index: Python-3.14.2/Lib/email/generator.py =================================================================== --- Python-3.14.2.orig/Lib/email/generator.py 2026-01-28 22:15:51.075267925 +0100 +++ Python-3.14.2/Lib/email/generator.py 2026-01-28 22:15:56.251194626 +0100 @@ -22,6 +22,7 @@ NLCRE = re.compile(r'\r\n|\r|\n') fcre = re.compile(r'^From ', re.MULTILINE) NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') +NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') class Generator: @@ -429,7 +430,16 @@ # This is almost the same as the string version, except for handling # strings with 8bit bytes. for h, v in msg.raw_items(): - self._fp.write(self.policy.fold_binary(h, v)) + folded = self.policy.fold_binary(h, v) + if self.policy.verify_generated_headers: + linesep = self.policy.linesep.encode() + if not folded.endswith(linesep): + raise HeaderWriteError( + f'folded header does not end with {linesep!r}: {folded!r}') + if NEWLINE_WITHOUT_FWSP_BYTES.search(folded.removesuffix(linesep)): + raise HeaderWriteError( + f'folded header contains newline: {folded!r}') + self._fp.write(folded) # A blank line always separates headers from body self.write(self._NL) Index: Python-3.14.2/Lib/test/test_email/test_generator.py =================================================================== --- Python-3.14.2.orig/Lib/test/test_email/test_generator.py 2026-01-28 22:15:52.693627763 +0100 +++ Python-3.14.2/Lib/test/test_email/test_generator.py 2026-01-28 22:15:56.251344799 +0100 @@ -313,7 +313,7 @@ self.assertEqual(s.getvalue(), self.typ(expected)) def test_verify_generated_headers(self): - """gh-121650: by default the generator prevents header injection""" + # gh-121650: by default the generator prevents header injection class LiteralHeader(str): name = 'Header' def fold(self, **kwargs): @@ -334,6 +334,8 @@ with self.assertRaises(email.errors.HeaderWriteError): message.as_string() + with self.assertRaises(email.errors.HeaderWriteError): + message.as_bytes() class TestBytesGenerator(TestGeneratorBase, TestEmailBase): Index: Python-3.14.2/Lib/test/test_email/test_policy.py =================================================================== --- Python-3.14.2.orig/Lib/test/test_email/test_policy.py 2026-01-28 22:15:52.703671956 +0100 +++ Python-3.14.2/Lib/test/test_email/test_policy.py 2026-01-28 22:15:56.251499922 +0100 @@ -296,7 +296,7 @@ policy.fold("Subject", subject) def test_verify_generated_headers(self): - """Turning protection off allows header injection""" + # Turning protection off allows header injection policy = email.policy.default.clone(verify_generated_headers=False) for text in ( 'Header: Value\r\nBad: Injection\r\n', @@ -319,6 +319,10 @@ message.as_string(), f"{text}\nBody", ) + self.assertEqual( + message.as_bytes(), + f"{text}\nBody".encode(), + ) # XXX: Need subclassing tests. # For adding subclassed objects, make sure the usual rules apply (subclass Index: Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst 2026-01-28 22:15:56.251667056 +0100 @@ -0,0 +1,4 @@ +:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers +that are unsafely folded or delimited; see +:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas +Bloemsaat and Petr Viktorin in :gh:`121650`). ++++++ CVE-2025-11468-email-hdr-fold-comment.patch ++++++ >From df45bd1aafc3b6792d43661207d2b7eb3a14d214 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <[email protected]> Date: Mon, 19 Jan 2026 06:38:22 -0600 Subject: [PATCH] gh-143935: Email preserve parens when folding comments (GH-143936) Fix a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs. (cherry picked from commit 17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2) Co-authored-by: Seth Michael Larson <[email protected]> Co-authored-by: Denis Ledoux <[email protected]> --- Lib/email/_header_value_parser.py | 15 +++++++++++- .../test_email/test__header_value_parser.py | 23 +++++++++++++++++++ ...-01-16-14-40-31.gh-issue-143935.U2YtKl.rst | 6 +++++ 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py index 68c2cf9585c5b4..51727688c059ed 100644 --- a/Lib/email/_header_value_parser.py +++ b/Lib/email/_header_value_parser.py @@ -101,6 +101,12 @@ def make_quoted_pairs(value): return str(value).replace('\\', '\\\\').replace('"', '\\"') +def make_parenthesis_pairs(value): + """Escape parenthesis and backslash for use within a comment.""" + return str(value).replace('\\', '\\\\') \ + .replace('(', '\\(').replace(')', '\\)') + + def quote_string(value): escaped = make_quoted_pairs(value) return f'"{escaped}"' @@ -939,7 +945,7 @@ def value(self): return ' ' def startswith_fws(self): - return True + return self and self[0] in WSP class ValueTerminal(Terminal): @@ -2959,6 +2965,13 @@ def _refold_parse_tree(parse_tree, *, policy): [ValueTerminal(make_quoted_pairs(p), 'ptext') for p in newparts] + [ValueTerminal('"', 'ptext')]) + if part.token_type == 'comment': + newparts = ( + [ValueTerminal('(', 'ptext')] + + [ValueTerminal(make_parenthesis_pairs(p), 'ptext') + if p.token_type == 'ptext' else p + for p in newparts] + + [ValueTerminal(')', 'ptext')]) if not part.as_ew_allowed: wrap_as_ew_blocked += 1 newparts.append(end_ew_not_allowed) diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py index 426ec4644e3096..e28fe3892015b9 100644 --- a/Lib/test/test_email/test__header_value_parser.py +++ b/Lib/test/test_email/test__header_value_parser.py @@ -3294,6 +3294,29 @@ def test_address_list_with_specials_in_long_quoted_string(self): with self.subTest(to=to): self._test(parser.get_address_list(to)[0], folded, policy=policy) + def test_address_list_with_long_unwrapable_comment(self): + policy = self.policy.clone(max_line_length=40) + cases = [ + # (to, folded) + ('(loremipsumdolorsitametconsecteturadipi)<[email protected]>', + '(loremipsumdolorsitametconsecteturadipi)<[email protected]>\n'), + ('<[email protected]>(loremipsumdolorsitametconsecteturadipi)', + '<[email protected]>(loremipsumdolorsitametconsecteturadipi)\n'), + ('(loremipsum dolorsitametconsecteturadipi)<[email protected]>', + '(loremipsum dolorsitametconsecteturadipi)<[email protected]>\n'), + ('<[email protected]>(loremipsum dolorsitametconsecteturadipi)', + '<[email protected]>(loremipsum\n dolorsitametconsecteturadipi)\n'), + ('(Escaped \\( \\) chars \\\\ in comments stay escaped)<[email protected]>', + '(Escaped \\( \\) chars \\\\ in comments stay\n escaped)<[email protected]>\n'), + ('((loremipsum)(loremipsum)(loremipsum)(loremipsum))<[email protected]>', + '((loremipsum)(loremipsum)(loremipsum)(loremipsum))<[email protected]>\n'), + ('((loremipsum)(loremipsum)(loremipsum) (loremipsum))<[email protected]>', + '((loremipsum)(loremipsum)(loremipsum)\n (loremipsum))<[email protected]>\n'), + ] + for (to, folded) in cases: + with self.subTest(to=to): + self._test(parser.get_address_list(to)[0], folded, policy=policy) + # XXX Need tests with comments on various sides of a unicode token, # and with unicode tokens in the comments. Spaces inside the quotes # currently don't do the right thing. diff --git a/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst new file mode 100644 index 00000000000000..c3d864936884ac --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst @@ -0,0 +1,6 @@ +Fixed a bug in the folding of comments when flattening an email message +using a modern email policy. Comments consisting of a very long sequence of +non-foldable characters could trigger a forced line wrap that omitted the +required leading space on the continuation line, causing the remainder of +the comment to be interpreted as a new header field. This enabled header +injection with carefully crafted inputs. ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.3H7uTo/_old 2026-01-29 18:59:30.073790505 +0100 +++ /var/tmp/diff_new_pack.3H7uTo/_new 2026-01-29 18:59:30.077790675 +0100 @@ -1,6 +1,6 @@ -mtime: 1767634125 -commit: 7cd0446b54d8765415374535482b6d87f0a9a2f43cf2ac303110bc7b64c1cb8d +mtime: 1769691597 +commit: 3a0658eda43cd8c3eeac0838a1b2980fc4402a050f83f8c3a59b63bcc8e5a7f6 url: https://src.opensuse.org/python-interpreters/python314.git -revision: 7cd0446b54d8765415374535482b6d87f0a9a2f43cf2ac303110bc7b64c1cb8d +revision: 3a0658eda43cd8c3eeac0838a1b2980fc4402a050f83f8c3a59b63bcc8e5a7f6 projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-01-29 14:00:23.000000000 +0100 @@ -0,0 +1,5 @@ +.osc +*.obscpio +_build.* +.pbuild +python314-*-build/
