Fix tests on s390x with hw acceleration

Security fix for CVE-2023-27043
Resolves: RHEL-20613
2024-01-27 04:32:41 +00:00 · 2024-01-05 10:32:41 +01:00
4 changed files with 869 additions and 1 deletions
--- a/.python3.9.metadata
+++ b/.python3.9.metadata
@ -0,0 +1,2 @@
+abe4a20dcc11798495b17611ef9f8f33d6975722 Python-3.9.18.tar.xz
+915e5599fb4470e2013a6fe83a7cead27e9e1a7f Python-3.9.18.tar.xz.asc
--- a/00414-skip_test_zlib_s390x.patch
+++ b/00414-skip_test_zlib_s390x.patch
@ -0,0 +1,88 @@
+From e5be32d6eb880c9563fde2f23cc31b7e449719ec Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Wed, 24 Jan 2024 18:14:14 +0100
+Subject: [PATCH] bpo-46623: Skip two test_zlib tests on s390x (GH-31096)
+
+Skip test_pair() and test_speech128() of test_zlib on s390x since
+they fail if zlib uses the s390x hardware accelerator.
+---
+ Lib/test/test_zlib.py                         | 32 +++++++++++++++++++
+ .../2022-02-03-09-45-26.bpo-46623.vxzuhV.rst  |  2 ++
+ 2 files changed, 34 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
+
+diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
+index 02509cd..f3654c9 100644
+--- a/Lib/test/test_zlib.py
+++ b/Lib/test/test_zlib.py
+@@ -2,6 +2,7 @@ import unittest
+ from test import support
+ import binascii
+ import copy
+import os
+ import pickle
+ import random
+ import sys
+@@ -16,6 +17,35 @@ requires_Decompress_copy = unittest.skipUnless(
+         hasattr(zlib.decompressobj(), "copy"),
+         'requires Decompress.copy()')
+ 
+# bpo-46623: On s390x, when a hardware accelerator is used, using different
+# ways to compress data with zlib can produce different compressed data.
+# Simplified test_pair() code:
+#
+#   def func1(data):
+#       return zlib.compress(data)
+#
+#   def func2(data)
+#       co = zlib.compressobj()
+#       x1 = co.compress(data)
+#       x2 = co.flush()
+#       return x1 + x2
+#
+# On s390x if zlib uses a hardware accelerator, func1() creates a single
+# "final" compressed block whereas func2() produces 3 compressed blocks (the
+# last one is a final block). On other platforms with no accelerator, func1()
+# and func2() produce the same compressed data made of a single (final)
+# compressed block.
+#
+# Only the compressed data is different, the decompression returns the original
+# data:
+#
+#   zlib.decompress(func1(data)) == zlib.decompress(func2(data)) == data
+#
+# Make the assumption that s390x always has an accelerator to simplify the skip
+# condition. Windows doesn't have os.uname() but it doesn't support s390x.
+skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x',
+                                'skipped on s390x')
+
+ 
+ class VersionTestCase(unittest.TestCase):
+ 
+@@ -174,6 +204,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase):
+                                          bufsize=zlib.DEF_BUF_SIZE),
+                          HAMLET_SCENE)
+ 
+    @skip_on_s390x
+     def test_speech128(self):
+         # compress more data
+         data = HAMLET_SCENE * 128
+@@ -225,6 +256,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase):
+ 
+ class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase):
+     # Test compression object
+    @skip_on_s390x
+     def test_pair(self):
+         # straightforward compress/decompress objects
+         datasrc = HAMLET_SCENE * 128
+diff --git a/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
+new file mode 100644
+index 0000000..be085c0
+--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
+@@ -0,0 +1,2 @@
+Skip test_pair() and test_speech128() of test_zlib on s390x since they fail
+if zlib uses the s390x hardware accelerator. Patch by Victor Stinner.
+-- 
+2.43.0
+
--- a/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
+++ b/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
@ -0,0 +1,750 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Fri, 15 Dec 2023 16:10:40 +0100
+Subject: [PATCH] 00415: [CVE-2023-27043] gh-102988: Reject malformed addresses
+ in email.parseaddr() (#111116)
+
+Detect email address parsing errors and return empty tuple to
+indicate the parsing error (old API). Add an optional 'strict'
+parameter to getaddresses() and parseaddr() functions. Patch by
+Thomas Dwyer.
+
+Co-Authored-By: Thomas Dwyer <github@tomd.tel>
+---
+ Doc/library/email.utils.rst                   |  19 +-
+ Lib/email/utils.py                            | 151 ++++++++++++-
+ Lib/test/test_email/test_email.py             | 204 +++++++++++++++++-
+ ...-10-20-15-28-08.gh-issue-102988.dStNO7.rst |   8 +
+ 4 files changed, 361 insertions(+), 21 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
+
+diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
+index 4d0e920eb0..104229e9e5 100644
+--- a/Doc/library/email.utils.rst
+++ b/Doc/library/email.utils.rst
+@@ -60,13 +60,18 @@ of the new API.
+    begins with angle brackets, they are stripped off.
+ 
+ 
+-.. function:: parseaddr(address)
+.. function:: parseaddr(address, *, strict=True)
+ 
+    Parse address -- which should be the value of some address-containing field such
+    as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and
+    *email address* parts.  Returns a tuple of that information, unless the parse
+    fails, in which case a 2-tuple of ``('', '')`` is returned.
+ 
+   If *strict* is true, use a strict parser which rejects malformed inputs.
+
+   .. versionchanged:: 3.13
+      Add *strict* optional parameter and reject malformed inputs by default.
+
+ 
+ .. function:: formataddr(pair, charset='utf-8')
+ 
+@@ -84,12 +89,15 @@ of the new API.
+       Added the *charset* option.
+ 
+ 
+-.. function:: getaddresses(fieldvalues)
+.. function:: getaddresses(fieldvalues, *, strict=True)
+ 
+    This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
+    *fieldvalues* is a sequence of header field values as might be returned by
+-   :meth:`Message.get_all <email.message.Message.get_all>`.  Here's a simple
+-   example that gets all the recipients of a message::
+   :meth:`Message.get_all <email.message.Message.get_all>`.
+
+   If *strict* is true, use a strict parser which rejects malformed inputs.
+
+   Here's a simple example that gets all the recipients of a message::
+ 
+       from email.utils import getaddresses
+ 
+@@ -99,6 +107,9 @@ of the new API.
+       resent_ccs = msg.get_all('resent-cc', [])
+       all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
+ 
+   .. versionchanged:: 3.13
+      Add *strict* optional parameter and reject malformed inputs by default.
+
+ 
+ .. function:: parsedate(date)
+ 
+diff --git a/Lib/email/utils.py b/Lib/email/utils.py
+index 48d30160aa..7ca7a7c886 100644
+--- a/Lib/email/utils.py
+++ b/Lib/email/utils.py
+@@ -48,6 +48,7 @@ TICK = "'"
+ specialsre = re.compile(r'[][\\()<>@,:;".]')
+ escapesre = re.compile(r'[\\"]')
+ 
+
+ def _has_surrogates(s):
+     """Return True if s contains surrogate-escaped binary data."""
+     # This check is based on the fact that unless there are surrogates, utf8
+@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'):
+     return address
+ 
+ 
+def _iter_escaped_chars(addr):
+    pos = 0
+    escape = False
+    for pos, ch in enumerate(addr):
+        if escape:
+            yield (pos, '\\' + ch)
+            escape = False
+        elif ch == '\\':
+            escape = True
+        else:
+            yield (pos, ch)
+    if escape:
+        yield (pos, '\\')
+ 
+-def getaddresses(fieldvalues):
+-    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
+-    all = COMMASPACE.join(str(v) for v in fieldvalues)
+-    a = _AddressList(all)
+-    return a.addresslist
+
+def _strip_quoted_realnames(addr):
+    """Strip real names between quotes."""
+    if '"' not in addr:
+        # Fast path
+        return addr
+
+    start = 0
+    open_pos = None
+    result = []
+    for pos, ch in _iter_escaped_chars(addr):
+        if ch == '"':
+            if open_pos is None:
+                open_pos = pos
+            else:
+                if start != open_pos:
+                    result.append(addr[start:open_pos])
+                start = pos + 1
+                open_pos = None
+
+    if start < len(addr):
+        result.append(addr[start:])
+
+    return ''.join(result)
+
+
+supports_strict_parsing = True
+
+def getaddresses(fieldvalues, *, strict=True):
+    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
+
+    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
+    its place.
+
+    If strict is true, use a strict parser which rejects malformed inputs.
+    """
+
+    # If strict is true, if the resulting list of parsed addresses is greater
+    # than the number of fieldvalues in the input list, a parsing error has
+    # occurred and consequently a list containing a single empty 2-tuple [('',
+    # '')] is returned in its place. This is done to avoid invalid output.
+    #
+    # Malformed input: getaddresses(['alice@example.com <bob@example.com>'])
+    # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')]
+    # Safe output: [('', '')]
+
+    if not strict:
+        all = COMMASPACE.join(str(v) for v in fieldvalues)
+        a = _AddressList(all)
+        return a.addresslist
+
+    fieldvalues = [str(v) for v in fieldvalues]
+    fieldvalues = _pre_parse_validation(fieldvalues)
+    addr = COMMASPACE.join(fieldvalues)
+    a = _AddressList(addr)
+    result = _post_parse_validation(a.addresslist)
+
+    # Treat output as invalid if the number of addresses is not equal to the
+    # expected number of addresses.
+    n = 0
+    for v in fieldvalues:
+        # When a comma is used in the Real Name part it is not a deliminator.
+        # So strip those out before counting the commas.
+        v = _strip_quoted_realnames(v)
+        # Expected number of addresses: 1 + number of commas
+        n += 1 + v.count(',')
+    if len(result) != n:
+        return [('', '')]
+
+    return result
+
+
+def _check_parenthesis(addr):
+    # Ignore parenthesis in quoted real names.
+    addr = _strip_quoted_realnames(addr)
+
+    opens = 0
+    for pos, ch in _iter_escaped_chars(addr):
+        if ch == '(':
+            opens += 1
+        elif ch == ')':
+            opens -= 1
+            if opens < 0:
+                return False
+    return (opens == 0)
+
+
+def _pre_parse_validation(email_header_fields):
+    accepted_values = []
+    for v in email_header_fields:
+        if not _check_parenthesis(v):
+            v = "('', '')"
+        accepted_values.append(v)
+
+    return accepted_values
+
+
+def _post_parse_validation(parsed_email_header_tuples):
+    accepted_values = []
+    # The parser would have parsed a correctly formatted domain-literal
+    # The existence of an [ after parsing indicates a parsing failure
+    for v in parsed_email_header_tuples:
+        if '[' in v[1]:
+            v = ('', '')
+        accepted_values.append(v)
+
+    return accepted_values
+ 
+ 
+ def _format_timetuple_and_zone(timetuple, zone):
+@@ -202,16 +318,33 @@ def parsedate_to_datetime(data):
+             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
+ 
+ 
+-def parseaddr(addr):
+def parseaddr(addr, *, strict=True):
+     """
+     Parse addr into its constituent realname and email address parts.
+ 
+     Return a tuple of realname and email address, unless the parse fails, in
+     which case return a 2-tuple of ('', '').
+
+    If strict is True, use a strict parser which rejects malformed inputs.
+     """
+-    addrs = _AddressList(addr).addresslist
+-    if not addrs:
+-        return '', ''
+    if not strict:
+        addrs = _AddressList(addr).addresslist
+        if not addrs:
+            return ('', '')
+        return addrs[0]
+
+    if isinstance(addr, list):
+        addr = addr[0]
+
+    if not isinstance(addr, str):
+        return ('', '')
+
+    addr = _pre_parse_validation([addr])[0]
+    addrs = _post_parse_validation(_AddressList(addr).addresslist)
+
+    if not addrs or len(addrs) > 1:
+        return ('', '')
+
+     return addrs[0]
+ 
+ 
+diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
+index 761ea90b78..0c689643de 100644
+--- a/Lib/test/test_email/test_email.py
+++ b/Lib/test/test_email/test_email.py
+@@ -16,6 +16,7 @@ from unittest.mock import patch
+ 
+ import email
+ import email.policy
+import email.utils
+ 
+ from email.charset import Charset
+ from email.header import Header, decode_header, make_header
+@@ -3263,15 +3264,154 @@ Foo
+            [('Al Person', 'aperson@dom.ain'),
+             ('Bud Person', 'bperson@dom.ain')])
+ 
+    def test_getaddresses_comma_in_name(self):
+        """GH-106669 regression test."""
+        self.assertEqual(
+            utils.getaddresses(
+                [
+                    '"Bud, Person" <bperson@dom.ain>',
+                    'aperson@dom.ain (Al Person)',
+                    '"Mariusz Felisiak" <to@example.com>',
+                ]
+            ),
+            [
+                ('Bud, Person', 'bperson@dom.ain'),
+                ('Al Person', 'aperson@dom.ain'),
+                ('Mariusz Felisiak', 'to@example.com'),
+            ],
+        )
+
+    def test_parsing_errors(self):
+        """Test for parsing errors from CVE-2023-27043 and CVE-2019-16056"""
+        alice = 'alice@example.org'
+        bob = 'bob@example.com'
+        empty = ('', '')
+
+        # Test utils.getaddresses() and utils.parseaddr() on malformed email
+        # addresses: default behavior (strict=True) rejects malformed address,
+        # and strict=False which tolerates malformed address.
+        for invalid_separator, expected_non_strict in (
+            ('(', [(f'<{bob}>', alice)]),
+            (')', [('', alice), empty, ('', bob)]),
+            ('<', [('', alice), empty, ('', bob), empty]),
+            ('>', [('', alice), empty, ('', bob)]),
+            ('[', [('', f'{alice}[<{bob}>]')]),
+            (']', [('', alice), empty, ('', bob)]),
+            ('@', [empty, empty, ('', bob)]),
+            (';', [('', alice), empty, ('', bob)]),
+            (':', [('', alice), ('', bob)]),
+            ('.', [('', alice + '.'), ('', bob)]),
+            ('"', [('', alice), ('', f'<{bob}>')]),
+        ):
+            address = f'{alice}{invalid_separator}<{bob}>'
+            with self.subTest(address=address):
+                self.assertEqual(utils.getaddresses([address]),
+                                 [empty])
+                self.assertEqual(utils.getaddresses([address], strict=False),
+                                 expected_non_strict)
+
+                self.assertEqual(utils.parseaddr([address]),
+                                 empty)
+                self.assertEqual(utils.parseaddr([address], strict=False),
+                                 ('', address))
+
+        # Comma (',') is treated differently depending on strict parameter.
+        # Comma without quotes.
+        address = f'{alice},<{bob}>'
+        self.assertEqual(utils.getaddresses([address]),
+                         [('', alice), ('', bob)])
+        self.assertEqual(utils.getaddresses([address], strict=False),
+                         [('', alice), ('', bob)])
+        self.assertEqual(utils.parseaddr([address]),
+                         empty)
+        self.assertEqual(utils.parseaddr([address], strict=False),
+                         ('', address))
+
+        # Real name between quotes containing comma.
+        address = '"Alice, alice@example.org" <bob@example.com>'
+        expected_strict = ('Alice, alice@example.org', 'bob@example.com')
+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
+        self.assertEqual(utils.parseaddr([address]), expected_strict)
+        self.assertEqual(utils.parseaddr([address], strict=False),
+                         ('', address))
+
+        # Valid parenthesis in comments.
+        address = 'alice@example.org (Alice)'
+        expected_strict = ('Alice', 'alice@example.org')
+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
+        self.assertEqual(utils.parseaddr([address]), expected_strict)
+        self.assertEqual(utils.parseaddr([address], strict=False),
+                         ('', address))
+
+        # Invalid parenthesis in comments.
+        address = 'alice@example.org )Alice('
+        self.assertEqual(utils.getaddresses([address]), [empty])
+        self.assertEqual(utils.getaddresses([address], strict=False),
+                         [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
+        self.assertEqual(utils.parseaddr([address]), empty)
+        self.assertEqual(utils.parseaddr([address], strict=False),
+                         ('', address))
+
+        # Two addresses with quotes separated by comma.
+        address = '"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>'
+        self.assertEqual(utils.getaddresses([address]),
+                         [('Jane Doe', 'jane@example.net'),
+                          ('John Doe', 'john@example.net')])
+        self.assertEqual(utils.getaddresses([address], strict=False),
+                         [('Jane Doe', 'jane@example.net'),
+                          ('John Doe', 'john@example.net')])
+        self.assertEqual(utils.parseaddr([address]), empty)
+        self.assertEqual(utils.parseaddr([address], strict=False),
+                         ('', address))
+
+        # Test email.utils.supports_strict_parsing attribute
+        self.assertEqual(email.utils.supports_strict_parsing, True)
+
+     def test_getaddresses_nasty(self):
+-        eq = self.assertEqual
+-        eq(utils.getaddresses(['foo: ;']), [('', '')])
+-        eq(utils.getaddresses(
+-           ['[]*-- =~$']),
+-           [('', ''), ('', ''), ('', '*--')])
+-        eq(utils.getaddresses(
+-           ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
+-           [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
+        for addresses, expected in (
+            (['"Sürname, Firstname" <to@example.com>'],
+             [('Sürname, Firstname', 'to@example.com')]),
+
+            (['foo: ;'],
+             [('', '')]),
+
+            (['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>'],
+             [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]),
+
+            ([r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>'],
+             [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]),
+
+            (['(Empty list)(start)Undisclosed recipients  :(nobody(I know))'],
+             [('', '')]),
+
+            (['Mary <@machine.tld:mary@example.net>, , jdoe@test   . example'],
+             [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]),
+
+            (['John Doe <jdoe@machine(comment).  example>'],
+             [('John Doe (comment)', 'jdoe@machine.example')]),
+
+            (['"Mary Smith: Personal Account" <smith@home.example>'],
+             [('Mary Smith: Personal Account', 'smith@home.example')]),
+
+            (['Undisclosed recipients:;'],
+             [('', '')]),
+
+            ([r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>'],
+             [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]),
+        ):
+            with self.subTest(addresses=addresses):
+                self.assertEqual(utils.getaddresses(addresses),
+                                 expected)
+                self.assertEqual(utils.getaddresses(addresses, strict=False),
+                                 expected)
+
+        addresses = ['[]*-- =~$']
+        self.assertEqual(utils.getaddresses(addresses),
+                         [('', '')])
+        self.assertEqual(utils.getaddresses(addresses, strict=False),
+                         [('', ''), ('', ''), ('', '*--')])
+ 
+     def test_getaddresses_embedded_comment(self):
+         """Test proper handling of a nested comment"""
+@@ -3460,6 +3600,54 @@ multipart/report
+                 m = cls(*constructor, policy=email.policy.default)
+                 self.assertIs(m.policy, email.policy.default)
+ 
+    def test_iter_escaped_chars(self):
+        self.assertEqual(list(utils._iter_escaped_chars(r'a\\b\"c\\"d')),
+                         [(0, 'a'),
+                          (2, '\\\\'),
+                          (3, 'b'),
+                          (5, '\\"'),
+                          (6, 'c'),
+                          (8, '\\\\'),
+                          (9, '"'),
+                          (10, 'd')])
+        self.assertEqual(list(utils._iter_escaped_chars('a\\')),
+                         [(0, 'a'), (1, '\\')])
+
+    def test_strip_quoted_realnames(self):
+        def check(addr, expected):
+            self.assertEqual(utils._strip_quoted_realnames(addr), expected)
+
+        check('"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>',
+              ' <jane@example.net>,  <john@example.net>')
+        check(r'"Jane \"Doe\"." <jane@example.net>',
+              ' <jane@example.net>')
+
+        # special cases
+        check(r'before"name"after', 'beforeafter')
+        check(r'before"name"', 'before')
+        check(r'b"name"', 'b')  # single char
+        check(r'"name"after', 'after')
+        check(r'"name"a', 'a')  # single char
+        check(r'"name"', '')
+
+        # no change
+        for addr in (
+            'Jane Doe <jane@example.net>, John Doe <john@example.net>',
+            'lone " quote',
+        ):
+            self.assertEqual(utils._strip_quoted_realnames(addr), addr)
+
+
+    def test_check_parenthesis(self):
+        addr = 'alice@example.net'
+        self.assertTrue(utils._check_parenthesis(f'{addr} (Alice)'))
+        self.assertFalse(utils._check_parenthesis(f'{addr} )Alice('))
+        self.assertFalse(utils._check_parenthesis(f'{addr} (Alice))'))
+        self.assertFalse(utils._check_parenthesis(f'{addr} ((Alice)'))
+
+        # Ignore real name between quotes
+        self.assertTrue(utils._check_parenthesis(f'")Alice((" {addr}'))
+
+ 
+ # Test the iterator/generators
+ class TestIterators(TestEmailBase):
+diff --git a/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
+new file mode 100644
+index 0000000000..3d0e9e4078
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
+@@ -0,0 +1,8 @@
+:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
+return ``('', '')`` 2-tuples in more situations where invalid email
+addresses are encountered instead of potentially inaccurate values. Add
+optional *strict* parameter to these two functions: use ``strict=False`` to
+get the old behavior, accept malformed inputs.
+``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
+if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
+Stinner to improve the CVE-2023-27043 fix.
+
+
+From 4df4fad359c280f2328b98ea9b4414f244624a58 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 18 Dec 2023 20:15:33 +0100
+Subject: [PATCH] Make it possible to disable strict parsing in email module
+
+---
+ Doc/library/email.utils.rst       | 26 +++++++++++
+ Lib/email/utils.py                | 54 ++++++++++++++++++++++-
+ Lib/test/test_email/test_email.py | 72 ++++++++++++++++++++++++++++++-
+ 3 files changed, 149 insertions(+), 3 deletions(-)
+
+diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
+index d1e1898591..7aef773b5f 100644
+--- a/Doc/library/email.utils.rst
+++ b/Doc/library/email.utils.rst
+@@ -69,6 +69,19 @@ of the new API.
+ 
+    If *strict* is true, use a strict parser which rejects malformed inputs.
+ 
+   The default setting for *strict* is set to ``True``, but you can override
+   it by setting the environment variable ``PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING``
+   to non-empty string.
+
+   Additionally, you can permanently set the default value for *strict* to
+   ``False`` by creating the configuration file ``/etc/python/email.cfg``
+   with the following content:
+
+   .. code-block:: ini
+
+      [email_addr_parsing]
+      PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
+
+    .. versionchanged:: 3.13
+       Add *strict* optional parameter and reject malformed inputs by default.
+ 
+@@ -97,6 +110,19 @@ of the new API.
+ 
+    If *strict* is true, use a strict parser which rejects malformed inputs.
+ 
+   The default setting for *strict* is set to ``True``, but you can override
+   it by setting the environment variable ``PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING``
+   to non-empty string.
+
+   Additionally, you can permanently set the default value for *strict* to
+   ``False`` by creating the configuration file ``/etc/python/email.cfg``
+   with the following content:
+
+   .. code-block:: ini
+
+      [email_addr_parsing]
+      PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
+
+    Here's a simple example that gets all the recipients of a message::
+ 
+       from email.utils import getaddresses
+diff --git a/Lib/email/utils.py b/Lib/email/utils.py
+index f83b7e5d7e..b8e90ceb8e 100644
+--- a/Lib/email/utils.py
+++ b/Lib/email/utils.py
+@@ -48,6 +48,46 @@ TICK = "'"
+ specialsre = re.compile(r'[][\\()<>@,:;".]')
+ escapesre = re.compile(r'[\\"]')
+ 
+_EMAIL_CONFIG_FILE = "/etc/python/email.cfg"
+_cached_strict_addr_parsing = None
+
+
+def _use_strict_email_parsing():
+    """"Cache implementation for _cached_strict_addr_parsing"""
+    global _cached_strict_addr_parsing
+    if _cached_strict_addr_parsing is None:
+        _cached_strict_addr_parsing = _use_strict_email_parsing_impl()
+    return _cached_strict_addr_parsing
+
+
+def _use_strict_email_parsing_impl():
+    """Returns True if strict email parsing is not disabled by
+    config file or env variable.
+    """
+    disabled = bool(os.environ.get("PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"))
+    if disabled:
+        return False
+
+    try:
+        file = open(_EMAIL_CONFIG_FILE)
+    except FileNotFoundError:
+        pass
+    else:
+        with file:
+            import configparser
+            config = configparser.ConfigParser(
+                interpolation=None,
+                comment_prefixes=('#', ),
+
+            )
+            config.read_file(file)
+            disabled = config.getboolean('email_addr_parsing', "PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING", fallback=None)
+
+    if disabled:
+        return False
+
+    return True
+
+ 
+ def _has_surrogates(s):
+     """Return True if s contains surrogate-escaped binary data."""
+@@ -149,7 +189,7 @@ def _strip_quoted_realnames(addr):
+ 
+ supports_strict_parsing = True
+ 
+-def getaddresses(fieldvalues, *, strict=True):
+def getaddresses(fieldvalues, *, strict=None):
+     """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
+ 
+     When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
+@@ -158,6 +198,11 @@ def getaddresses(fieldvalues, *, strict=True):
+     If strict is true, use a strict parser which rejects malformed inputs.
+     """
+ 
+    # If default is used, it's True unless disabled
+    # by env variable or config file.
+    if strict == None:
+        strict = _use_strict_email_parsing()
+
+     # If strict is true, if the resulting list of parsed addresses is greater
+     # than the number of fieldvalues in the input list, a parsing error has
+     # occurred and consequently a list containing a single empty 2-tuple [('',
+@@ -330,7 +375,7 @@ def parsedate_to_datetime(data):
+             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
+ 
+ 
+-def parseaddr(addr, *, strict=True):
+def parseaddr(addr, *, strict=None):
+     """
+     Parse addr into its constituent realname and email address parts.
+ 
+@@ -339,6 +384,11 @@ def parseaddr(addr, *, strict=True):
+ 
+     If strict is True, use a strict parser which rejects malformed inputs.
+     """
+    # If default is used, it's True unless disabled
+    # by env variable or config file.
+    if strict == None:
+        strict = _use_strict_email_parsing()
+
+     if not strict:
+         addrs = _AddressList(addr).addresslist
+         if not addrs:
+diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
+index ce36efc1b1..05ea201b68 100644
+--- a/Lib/test/test_email/test_email.py
+++ b/Lib/test/test_email/test_email.py
+@@ -7,6 +7,9 @@ import time
+ import base64
+ import unittest
+ import textwrap
+import contextlib
+import tempfile
+import os
+ 
+ from io import StringIO, BytesIO
+ from itertools import chain
+@@ -41,7 +44,7 @@ from email import iterators
+ from email import base64mime
+ from email import quoprimime
+ 
+-from test.support import unlink, start_threads
+from test.support import unlink, start_threads, EnvironmentVarGuard, swap_attr
+ from test.test_email import openfile, TestEmailBase
+ 
+ # These imports are documented to work, but we are testing them using a
+@@ -3313,6 +3316,73 @@ Foo
+         # Test email.utils.supports_strict_parsing attribute
+         self.assertEqual(email.utils.supports_strict_parsing, True)
+ 
+    def test_parsing_errors_strict_set_via_env_var(self):
+        address = 'alice@example.org )Alice('
+        empty = ('', '')
+
+        # Reset cached default value to make the function
+        # reload the config file provided below.
+        utils._cached_strict_addr_parsing = None
+
+        # Strict disabled via env variable, old behavior expected
+        with EnvironmentVarGuard() as environ:
+            environ["PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"] = "1"
+
+            self.assertEqual(utils.getaddresses([address]),
+                             [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
+            self.assertEqual(utils.parseaddr([address]), ('', address))
+
+        # Clear cache again
+        utils._cached_strict_addr_parsing = None
+
+        # Default strict=True, empty result expected
+        self.assertEqual(utils.getaddresses([address]), [empty])
+        self.assertEqual(utils.parseaddr([address]), empty)
+
+        # Clear cache again
+        utils._cached_strict_addr_parsing = None
+
+        # Empty string in env variable = strict parsing enabled (default)
+        with EnvironmentVarGuard() as environ:
+            environ["PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"] = ""
+
+            # Default strict=True, empty result expected
+            self.assertEqual(utils.getaddresses([address]), [empty])
+            self.assertEqual(utils.parseaddr([address]), empty)
+
+    @contextlib.contextmanager
+    def _email_strict_parsing_conf(self):
+        """Context for the given email strict parsing configured in config file"""
+        with tempfile.TemporaryDirectory() as tmpdirname:
+            filename = os.path.join(tmpdirname, 'conf.cfg')
+            with swap_attr(utils, "_EMAIL_CONFIG_FILE", filename):
+                with open(filename, 'w') as file:
+                    file.write('[email_addr_parsing]\n')
+                    file.write('PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true')
+                utils._EMAIL_CONFIG_FILE = filename
+                yield
+
+    def test_parsing_errors_strict_disabled_via_config_file(self):
+        address = 'alice@example.org )Alice('
+        empty = ('', '')
+
+        # Reset cached default value to make the function
+        # reload the config file provided below.
+        utils._cached_strict_addr_parsing = None
+
+        # Strict disabled via config file, old results expected
+        with self._email_strict_parsing_conf():
+            self.assertEqual(utils.getaddresses([address]),
+                             [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
+            self.assertEqual(utils.parseaddr([address]), ('', address))
+
+        # Clear cache again
+        utils._cached_strict_addr_parsing = None
+
+        # Default strict=True, empty result expected
+        self.assertEqual(utils.getaddresses([address]), [empty])
+        self.assertEqual(utils.parseaddr([address]), empty)
+
+     def test_getaddresses_nasty(self):
+         for addresses, expected in (
+             (['"Sürname, Firstname" <to@example.com>'],
+-- 
+2.43.0
+
--- a/python3.9.spec
+++ b/python3.9.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: Python


@ -409,6 +409,26 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
 # - https://access.redhat.com/articles/7004769
 Patch397: 00397-tarfile-filter.patch

+# 00414 #
+#
+# Skip test_pair() and test_speech128() of test_zlib on s390x since
+# they fail if zlib uses the s390x hardware accelerator.
+Patch414: 00414-skip_test_zlib_s390x.patch
+
+# 00415 #
+# [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116)
+#
+# Detect email address parsing errors and return empty tuple to
+# indicate the parsing error (old API). Add an optional 'strict'
+# parameter to getaddresses() and parseaddr() functions. Patch by
+# Thomas Dwyer.
+#
+# Upstream PR: https://github.com/python/cpython/pull/111116
+#
+# Second patch implmenets the possibility to restore the old behavior via
+# config file or environment variable.
+Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1810,6 +1830,14 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Wed Jan 24 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.18-3
+- Fix tests on s390x with hw acceleration
+Resolves: RHEL-13043
+
+* Thu Jan 04 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.18-2
+- Security fix for CVE-2023-27043
+Resolves: RHEL-20613
+
 * Thu Sep 07 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.18-1
 - Update to 3.9.18
 - Security fix for CVE-2023-40217
Author	SHA1	Message	Date
Lumir Balhar	1fe36ddab7	Fix tests on s390x with hw acceleration	2024-01-27 04:32:41 +00:00
Lumir Balhar	db33a5d3e7	Security fix for CVE-2023-27043 Resolves: RHEL-20613	2024-01-05 10:32:41 +01:00