[oss-security] CPython CVE-2024-6923: Email header injection due to unquoted newlines

Thu, 01 Aug 2024 14:32:09 -0700 

----- Begin Forwarded Message -----
Subject:        [Security-announce][CVE-2024-6923] Email header injection due 
to unquoted newlines
Date:   Thu, 1 Aug 2024 08:38:53 -0500
From:   Seth Larson <s...@python.org>
Reply-To:       security-...@python.org
To:     security-annou...@python.org

There is a MEDIUM severity vulnerability affecting CPython.

The email module didn’t properly quote newlines for email headers when 
serializing an email message allowing for header injection when an email is 
serialized.

Please see the linked CVE for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2024-6923
* https://github.com/python/cpython/pull/122233
* https://github.com/python/cpython/issues/121650

------ End Forwarded Message ------

The original bug report stated:


If a parsed email header contains a correctly quoted newline, setting an
email header to that value will include a newline.

from email import message_from_string
from email.policy import default

email_in = """\
To: incoming+...@me.example.com
From: External Sender <sen...@them.example.com>
Subject: Here's an =?UTF-8?Q?embedded_newline=0A?=
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

<html>
<head><title>An embeded newline</title></head>
<body>
  <p>I sent you an embedded newline in the subject. How do you like that?!</p>
</body>
</html>
"""

msg = message_from_string(email_in, policy=default)
msg = message_from_string(email_in, policy=default)
for header, value in msg.items():
    del msg[header]
    msg[header] = value
email_out = str(msg)
print(email_out)

Output is:

To: incoming+...@me.example.com
From: External Sender <sen...@them.example.com>
Subject: Here's an embedded newline

Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

<html>
<head><title>An embeded newline</title></head>
<body>
  <p>I sent you an embedded newline in the subject. How do you like that?!</p>
</body>
</html>

An email parser will interpret the newline as the start of the message.
In this case, the Content-Type and other MIME headers will not be
processed, and the email treated as plain text. In other cases,
required headers like To may not be processed and the email will not
be delivered.


A later update noted:


On further investigation, a plain string with a trailing newline has this issue:

email["Subject"] = "string with newlines\n"
So the "re-use parsed header" is not part of the issue.

Reply via email to