From f02202cb27dc69d60e3e71cb20ce474be5d074ad Mon Sep 17 00:00:00 2001
From: Karolina Surma <ksurma@redhat.com>
Date: Mon, 9 Feb 2026 10:10:54 +0100
Subject: [PATCH] Fix CVE-2025-15366, CVE-2025-15367

Resolves: RHEL-143058, RHEL-143111
---
 00474-cve-2025-15366.patch | 59 ++++++++++++++++++++++++++++++++++++++
 00475-cve-2025-15367.patch | 59 ++++++++++++++++++++++++++++++++++++++
 python3.14.spec            | 17 +++++++++--
 3 files changed, 133 insertions(+), 2 deletions(-)
 create mode 100644 00474-cve-2025-15366.patch
 create mode 100644 00475-cve-2025-15367.patch

diff --git a/00474-cve-2025-15366.patch b/00474-cve-2025-15366.patch
new file mode 100644
index 0000000..985adbb
--- /dev/null
+++ b/00474-cve-2025-15366.patch
@@ -0,0 +1,59 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 20 Jan 2026 14:45:42 -0600
+Subject: 00474: CVE-2025-15366
+
+Downstream only: Reject control characters in IMAP commands
+---
+ Lib/imaplib.py                                              | 4 +++-
+ Lib/test/test_imaplib.py                                    | 6 ++++++
+ .../Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 +
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+
+diff --git a/Lib/imaplib.py b/Lib/imaplib.py
+index cbe129b3e7..b9c691aacd 100644
+--- a/Lib/imaplib.py
++++ b/Lib/imaplib.py
+@@ -131,7 +131,7 @@
+ # We compile these in _mode_xxx.
+ _Literal = br'.*{(?P<size>\d+)}$'
+ _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
+-
++_control_chars = re.compile(b'[\x00-\x1F\x7F]')
+ 
+ 
+ class IMAP4:
+@@ -1108,6 +1108,8 @@ def _command(self, name, *args):
+             if arg is None: continue
+             if isinstance(arg, str):
+                 arg = bytes(arg, self._encoding)
++            if _control_chars.search(arg):
++                raise ValueError("Control characters not allowed in commands")
+             data = data + b' ' + arg
+ 
+         literal = self.literal
+diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
+index a03d7b8bb2..e26400b588 100644
+--- a/Lib/test/test_imaplib.py
++++ b/Lib/test/test_imaplib.py
+@@ -663,6 +663,12 @@ def test_unselect(self):
+         self.assertEqual(data[0], b'Returned to authenticated state. (Success)')
+         self.assertEqual(client.state, 'AUTH')
+ 
++    def test_control_characters(self):
++        client, _ = self._setup(SimpleIMAPHandler)
++        for c0 in support.control_characters_c0():
++            with self.assertRaises(ValueError):
++                client.login(f'user{c0}', 'pass')
++
+     # property tests
+ 
+     def test_file_property_should_not_be_accessed(self):
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+new file mode 100644
+index 0000000000..4e13fe92bc
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+@@ -0,0 +1 @@
++Reject control characters in IMAP commands.
diff --git a/00475-cve-2025-15367.patch b/00475-cve-2025-15367.patch
new file mode 100644
index 0000000..71c71c2
--- /dev/null
+++ b/00475-cve-2025-15367.patch
@@ -0,0 +1,59 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 20 Jan 2026 14:46:32 -0600
+Subject: 00475: CVE-2025-15367
+
+Downstream only: Reject control characters in POP3 commands
+---
+ Lib/poplib.py                                             | 2 ++
+ Lib/test/test_poplib.py                                   | 8 ++++++++
+ .../2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst        | 1 +
+ 3 files changed, 11 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index 4469bff44b..b97274c5c3 100644
+--- a/Lib/poplib.py
++++ b/Lib/poplib.py
+@@ -122,6 +122,8 @@ def _putline(self, line):
+     def _putcmd(self, line):
+         if self._debugging: print('*cmd*', repr(line))
+         line = bytes(line, self.encoding)
++        if re.search(b'[\x00-\x1F\x7F]', line):
++            raise ValueError('Control characters not allowed in commands')
+         self._putline(line)
+ 
+ 
+diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
+index ef2da97f86..18ca7cb556 100644
+--- a/Lib/test/test_poplib.py
++++ b/Lib/test/test_poplib.py
+@@ -17,6 +17,7 @@
+ from test.support import threading_helper
+ from test.support import asynchat
+ from test.support import asyncore
++from test.support import control_characters_c0
+ 
+ 
+ test_support.requires_working_socket(module=True)
+@@ -395,6 +396,13 @@ def test_quit(self):
+         self.assertIsNone(self.client.sock)
+         self.assertIsNone(self.client.file)
+ 
++    def test_control_characters(self):
++        for c0 in control_characters_c0():
++            with self.assertRaises(ValueError):
++                self.client.user(f'user{c0}')
++            with self.assertRaises(ValueError):
++                self.client.pass_(f'{c0}pass')
++
+     @requires_ssl
+     def test_stls_capa(self):
+         capa = self.client.capa()
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+new file mode 100644
+index 0000000000..3cde4df3e0
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+@@ -0,0 +1 @@
++Reject control characters in POP3 commands.
diff --git a/python3.14.spec b/python3.14.spec
index 4dea2fc..15bc3b3 100644
--- a/python3.14.spec
+++ b/python3.14.spec
@@ -410,6 +410,18 @@ Patch464: 00464-enable-pac-and-bti-protections-for-aarch64.patch
 # which is tested as working.
 Patch466: 00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch
 
+# 00474 # 0d9da266d5ecb31d8a417a0a5daa251a2d99389f
+# CVE-2025-15366
+#
+# Downstream only: Reject control characters in IMAP commands
+Patch474: 00474-cve-2025-15366.patch
+
+# 00475 # 91e12ebfb2a88b265f3764a0d852b6fa53b2386a
+# CVE-2025-15367
+#
+# Downstream only: Reject control characters in POP3 commands
+Patch475: 00475-cve-2025-15367.patch
+
 # 00477 # f9f53e560d161531a0c3476c08ee26b89a628bde
 # Raise an error when importing stdlib modules compiled for a different Python version
 #
@@ -1966,8 +1978,9 @@ CheckPython freethreading
 * Wed Feb 04 2026 Karolina Surma <ksurma@redhat.com> - 3.14.3-1
 - Update to Python 3.14.3
 - Security fixes for CVE-2025-11468, CVE-2026-0672,CVE-2026-0865,
-CVE-2025-15282, CVE-2026-1299, CVE-2025-11468
-Resolves: RHEL-144855
+CVE-2025-15282, CVE-2026-1299, CVE-2025-11468, CVE-2025-15366,
+CVE-2025-15367
+Resolves: RHEL-144855, RHEL-143058, RHEL-143111
 
 * Mon Jan 19 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.14.2-3
 - Support OpenSSL FIPS mode