From ddf314d2b9fe5928276c0e3bc95bc47174e3f9f6 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 2 Feb 2026 12:42:47 +0100 Subject: [PATCH] Security fixes for CVE-2026-0865, CVE-2025-15366, CVE-2025-15367, CVE-2026-1299 Resolves: RHEL-143063, RHEL-143120, RHEL-144860 --- 00473-cve-2026-0865.patch | 93 +++++++++++++++++++ 00474-cve-2025-15366.patch | 61 +++++++++++++ 00475-cve-2025-15367.patch | 61 +++++++++++++ 00476-cve-2026-1299.patch | 183 +++++++++++++++++++++++++++++++++++++ python3.spec | 50 +++++++++- 5 files changed, 447 insertions(+), 1 deletion(-) create mode 100644 00473-cve-2026-0865.patch create mode 100644 00474-cve-2025-15366.patch create mode 100644 00475-cve-2025-15367.patch create mode 100644 00476-cve-2026-1299.patch diff --git a/00473-cve-2026-0865.patch b/00473-cve-2026-0865.patch new file mode 100644 index 0000000..b776d2f --- /dev/null +++ b/00473-cve-2026-0865.patch @@ -0,0 +1,93 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Gregory P. Smith" <68491+gpshead@users.noreply.github.com> +Date: Tue, 20 Jan 2026 14:51:43 -0800 +Subject: 00473: CVE-2026-0865 + +gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) + +* Add 'test.support' fixture for C0 control characters +* gh-143916: Reject control characters in wsgiref.headers.Headers + +(cherry picked from commit 2f840249550e082dc351743f474ba56da10478d2) + +Co-authored-by: Seth Michael Larson +--- + Lib/test/support/__init__.py | 7 +++++++ + Lib/test/test_wsgiref.py | 11 +++++++++++ + Lib/wsgiref/headers.py | 3 +++ + .../2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst | 2 ++ + 4 files changed, 23 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst + +diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py +index da1f2ee719..7c260a3dfe 100644 +--- a/Lib/test/support/__init__.py ++++ b/Lib/test/support/__init__.py +@@ -2902,3 +2902,10 @@ def adjust_int_max_str_digits(max_digits): + yield + finally: + sys.set_int_max_str_digits(current) ++ ++ ++def control_characters_c0(): ++ """Returns a list of C0 control characters as strings. ++ C0 control characters defined as the byte range 0x00-0x1F, and 0x7F. ++ """ ++ return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"] +diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py +index 7708e20684..baac84d71c 100644 +--- a/Lib/test/test_wsgiref.py ++++ b/Lib/test/test_wsgiref.py +@@ -1,5 +1,6 @@ + from unittest import mock + from test import support ++from test.support import control_characters_c0 + from test.test_httpservers import NoLogRequestHandler + from unittest import TestCase + from wsgiref.util import setup_testing_defaults +@@ -517,6 +518,16 @@ class HeaderTests(TestCase): + '\r\n' + ) + ++ def testRaisesControlCharacters(self): ++ headers = Headers() ++ for c0 in control_characters_c0(): ++ self.assertRaises(ValueError, headers.__setitem__, f"key{c0}", "val") ++ self.assertRaises(ValueError, headers.__setitem__, "key", f"val{c0}") ++ self.assertRaises(ValueError, headers.add_header, f"key{c0}", "val", param="param") ++ self.assertRaises(ValueError, headers.add_header, "key", f"val{c0}", param="param") ++ self.assertRaises(ValueError, headers.add_header, "key", "val", param=f"param{c0}") ++ ++ + class ErrorHandler(BaseCGIHandler): + """Simple handler subclass for testing BaseHandler""" + +diff --git a/Lib/wsgiref/headers.py b/Lib/wsgiref/headers.py +index fab851c5a4..fd98e85d75 100644 +--- a/Lib/wsgiref/headers.py ++++ b/Lib/wsgiref/headers.py +@@ -9,6 +9,7 @@ written by Barry Warsaw. + # existence of which force quoting of the parameter value. + import re + tspecials = re.compile(r'[ \(\)<>@,;:\\"/\[\]\?=]') ++_control_chars_re = re.compile(r'[\x00-\x1F\x7F]') + + def _formatparam(param, value=None, quote=1): + """Convenience function to format and return a key=value pair. +@@ -41,6 +42,8 @@ class Headers: + def _convert_string_type(self, value): + """Convert/check value type.""" + if type(value) is str: ++ if _control_chars_re.search(value): ++ raise ValueError("Control characters not allowed in headers") + return value + raise AssertionError("Header names/values must be" + " of type str (got {0})".format(repr(value))) +diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst +new file mode 100644 +index 0000000000..44bd0b2705 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst +@@ -0,0 +1,2 @@ ++Reject C0 control characters within wsgiref.headers.Headers fields, values, ++and parameters. diff --git a/00474-cve-2025-15366.patch b/00474-cve-2025-15366.patch new file mode 100644 index 0000000..5df2d50 --- /dev/null +++ b/00474-cve-2025-15366.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Tue, 20 Jan 2026 14:45:42 -0600 +Subject: 00474: CVE-2025-15366 + +gh-143921: Reject control characters in IMAP commands + +(cherry-picked from commit 6262704b134db2a4ba12e85ecfbd968534f28b45) +--- + Lib/imaplib.py | 4 +++- + Lib/test/test_imaplib.py | 6 ++++++ + .../Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 + + 3 files changed, 10 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst + +diff --git a/Lib/imaplib.py b/Lib/imaplib.py +index 67b2cc02c4..abd530e98b 100644 +--- a/Lib/imaplib.py ++++ b/Lib/imaplib.py +@@ -128,7 +128,7 @@ Untagged_status = re.compile( + # We compile these in _mode_xxx. + _Literal = br'.*{(?P\d+)}$' + _Untagged_status = br'\* (?P\d+) (?P[A-Z-]+)( (?P.*))?' +- ++_control_chars = re.compile(b'[\x00-\x1F\x7F]') + + + class IMAP4: +@@ -958,6 +958,8 @@ class IMAP4: + if arg is None: continue + if isinstance(arg, str): + arg = bytes(arg, self._encoding) ++ if _control_chars.search(arg): ++ raise ValueError("Control characters not allowed in commands") + data = data + b' ' + arg + + literal = self.literal +diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py +index 0593a3756b..ec95577e96 100644 +--- a/Lib/test/test_imaplib.py ++++ b/Lib/test/test_imaplib.py +@@ -462,6 +462,12 @@ class NewIMAPTestsMixin(): + self.assertEqual(data[0], b'LOGIN completed') + self.assertEqual(client.state, 'AUTH') + ++ def test_control_characters(self): ++ client, _ = self._setup(SimpleIMAPHandler) ++ for c0 in support.control_characters_c0(): ++ with self.assertRaises(ValueError): ++ client.login(f'user{c0}', 'pass') ++ + def test_logout(self): + client, _ = self._setup(SimpleIMAPHandler) + typ, data = client.login('user', 'pass') +diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst +new file mode 100644 +index 0000000000..4e13fe92bc +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst +@@ -0,0 +1 @@ ++Reject control characters in IMAP commands. diff --git a/00475-cve-2025-15367.patch b/00475-cve-2025-15367.patch new file mode 100644 index 0000000..eef47bc --- /dev/null +++ b/00475-cve-2025-15367.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Tue, 20 Jan 2026 14:46:32 -0600 +Subject: 00475: CVE-2025-15367 + +gh-143923: Reject control characters in POP3 commands + +(cherry-picked from commit b234a2b67539f787e191d2ef19a7cbdce32874e7) +--- + Lib/poplib.py | 2 ++ + Lib/test/test_poplib.py | 8 ++++++++ + .../2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst | 1 + + 3 files changed, 11 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst + +diff --git a/Lib/poplib.py b/Lib/poplib.py +index 9796f0d2f9..64690628fe 100644 +--- a/Lib/poplib.py ++++ b/Lib/poplib.py +@@ -117,6 +117,8 @@ class POP3: + def _putcmd(self, line): + if self._debugging: print('*cmd*', repr(line)) + line = bytes(line, self.encoding) ++ if re.search(b'[\x00-\x1F\x7F]', line): ++ raise ValueError('Control characters not allowed in commands') + self._putline(line) + + +diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py +index 234c855545..18b8c191ab 100644 +--- a/Lib/test/test_poplib.py ++++ b/Lib/test/test_poplib.py +@@ -12,6 +12,7 @@ import errno + + from unittest import TestCase, skipUnless + from test import support as test_support ++from test.support import control_characters_c0 + threading = test_support.import_module('threading') + + HOST = test_support.HOST +@@ -349,6 +350,13 @@ class TestPOP3Class(TestCase): + self.assertIsNone(self.client.sock) + self.assertIsNone(self.client.file) + ++ def test_control_characters(self): ++ for c0 in control_characters_c0(): ++ with self.assertRaises(ValueError): ++ self.client.user(f'user{c0}') ++ with self.assertRaises(ValueError): ++ self.client.pass_(f'{c0}pass') ++ + @requires_ssl + def test_stls_capa(self): + capa = self.client.capa() +diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst +new file mode 100644 +index 0000000000..3cde4df3e0 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst +@@ -0,0 +1 @@ ++Reject control characters in POP3 commands. diff --git a/00476-cve-2026-1299.patch b/00476-cve-2026-1299.patch new file mode 100644 index 0000000..79ab955 --- /dev/null +++ b/00476-cve-2026-1299.patch @@ -0,0 +1,183 @@ +From c5cf3f478ef5dc435cc53c49e4e59a4819032265 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Mon, 2 Feb 2026 12:39:40 +0100 +Subject: [PATCH] 00476: CVE-2026-1299 + +gh-144125: email: verify headers are sound in BytesGenerator + +(cherry picked from commit 8cdf6204f4ae821f32993f8fc6bad0d318f95f36) + +Co-authored-by: Seth Michael Larson +Co-authored-by: Denis Ledoux +Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com> +Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com> +Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com> + +The fix for the CVE uncovered a known issue in handling +policy.linesep lengths fixed by: + +bpo-34424: Handle different policy.linesep lengths correctly. (#8803) + +(cherry-picked from commit 45b2f8893c1b7ab3b3981a966f82e42beea82106) + +Co-authored-by: Jens Troeger +--- + Lib/email/_header_value_parser.py | 2 +- + Lib/email/generator.py | 15 ++++++++++- + Lib/test/test_email/test_generator.py | 26 ++++++++++++++++++- + Lib/test/test_email/test_policy.py | 6 ++++- + .../2018-08-18-14-47-00.bpo-34424.wAlRuS.rst | 2 ++ + ...-01-21-12-34-05.gh-issue-144125.TAz5uo.rst | 4 +++ + 6 files changed, 51 insertions(+), 4 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2018-08-18-14-47-00.bpo-34424.wAlRuS.rst + create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst + +diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py +index dab4cbb..541c297 100644 +--- a/Lib/email/_header_value_parser.py ++++ b/Lib/email/_header_value_parser.py +@@ -2638,7 +2638,7 @@ def _refold_parse_tree(parse_tree, *, policy): + want_encoding = False + last_ew = None + if part.syntactic_break: +- encoded_part = part.fold(policy=policy)[:-1] # strip nl ++ encoded_part = part.fold(policy=policy)[:-len(policy.linesep)] + if policy.linesep not in encoded_part: + # It fits on a single line + if len(encoded_part) > maxlen - len(lines[-1]): +diff --git a/Lib/email/generator.py b/Lib/email/generator.py +index 6deb95b..6b08d84 100644 +--- a/Lib/email/generator.py ++++ b/Lib/email/generator.py +@@ -22,6 +22,7 @@ NL = '\n' # XXX: no longer used by the code below. + NLCRE = re.compile(r'\r\n|\r|\n') + fcre = re.compile(r'^From ', re.MULTILINE) + NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') ++NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') + + + +@@ -429,7 +430,19 @@ class BytesGenerator(Generator): + # This is almost the same as the string version, except for handling + # strings with 8bit bytes. + for h, v in msg.raw_items(): +- self._fp.write(self.policy.fold_binary(h, v)) ++ folded = self.policy.fold_binary(h, v) ++ if self.policy.verify_generated_headers: ++ linesep = self.policy.linesep.encode() ++ if not folded.endswith(linesep): ++ raise HeaderWriteError( ++ f'folded header does not end with {linesep!r}: {folded!r}') ++ folded_no_linesep = folded ++ if folded.endswith(linesep): ++ folded_no_linesep = folded[:-len(linesep)] ++ if NEWLINE_WITHOUT_FWSP_BYTES.search(folded_no_linesep): ++ raise HeaderWriteError( ++ f'folded header contains newline: {folded!r}') ++ self._fp.write(folded) + # A blank line always separates headers from body + self.write(self._NL) + +diff --git a/Lib/test/test_email/test_generator.py b/Lib/test/test_email/test_generator.py +index cdf1075..23adb06 100644 +--- a/Lib/test/test_email/test_generator.py ++++ b/Lib/test/test_email/test_generator.py +@@ -4,6 +4,7 @@ import unittest + from email import message_from_string, message_from_bytes + from email.message import EmailMessage + from email.generator import Generator, BytesGenerator ++from email.headerregistry import Address + from email import policy + import email.errors + from test.test_email import TestEmailBase, parameterize +@@ -263,7 +264,7 @@ class TestGenerator(TestGeneratorBase, TestEmailBase): + typ = str + + def test_verify_generated_headers(self): +- """gh-121650: by default the generator prevents header injection""" ++ # gh-121650: by default the generator prevents header injection + class LiteralHeader(str): + name = 'Header' + def fold(self, **kwargs): +@@ -284,6 +285,8 @@ class TestGenerator(TestGeneratorBase, TestEmailBase): + + with self.assertRaises(email.errors.HeaderWriteError): + message.as_string() ++ with self.assertRaises(email.errors.HeaderWriteError): ++ message.as_bytes() + + + class TestBytesGenerator(TestGeneratorBase, TestEmailBase): +@@ -353,6 +356,27 @@ class TestBytesGenerator(TestGeneratorBase, TestEmailBase): + g.flatten(msg) + self.assertEqual(s.getvalue(), expected) + ++ def test_smtp_policy(self): ++ msg = EmailMessage() ++ msg["From"] = Address(addr_spec="foo@bar.com", display_name="Páolo") ++ msg["To"] = Address(addr_spec="bar@foo.com", display_name="Dinsdale") ++ msg["Subject"] = "Nudge nudge, wink, wink" ++ msg.set_content("oh boy, know what I mean, know what I mean?") ++ expected = textwrap.dedent("""\ ++ From: =?utf-8?q?P=C3=A1olo?= ++ To: Dinsdale ++ Subject: Nudge nudge, wink, wink ++ Content-Type: text/plain; charset="utf-8" ++ Content-Transfer-Encoding: 7bit ++ MIME-Version: 1.0 ++ ++ oh boy, know what I mean, know what I mean? ++ """).encode().replace(b"\n", b"\r\n") ++ s = io.BytesIO() ++ g = BytesGenerator(s, policy=policy.SMTP) ++ g.flatten(msg) ++ self.assertEqual(s.getvalue(), expected) ++ + + if __name__ == '__main__': + unittest.main() +diff --git a/Lib/test/test_email/test_policy.py b/Lib/test/test_email/test_policy.py +index 6793422..f56236f 100644 +--- a/Lib/test/test_email/test_policy.py ++++ b/Lib/test/test_email/test_policy.py +@@ -239,7 +239,7 @@ class PolicyAPITests(unittest.TestCase): + self.assertEqual(newpolicy.__dict__, {'raise_on_defect': True}) + + def test_verify_generated_headers(self): +- """Turning protection off allows header injection""" ++ # Turning protection off allows header injection + policy = email.policy.default.clone(verify_generated_headers=False) + for text in ( + 'Header: Value\r\nBad: Injection\r\n', +@@ -262,6 +262,10 @@ class PolicyAPITests(unittest.TestCase): + message.as_string(), + f"{text}\nBody", + ) ++ self.assertEqual( ++ message.as_bytes(), ++ f"{text}\nBody".encode(), ++ ) + + # XXX: Need subclassing tests. + # For adding subclassed objects, make sure the usual rules apply (subclass +diff --git a/Misc/NEWS.d/next/Library/2018-08-18-14-47-00.bpo-34424.wAlRuS.rst b/Misc/NEWS.d/next/Library/2018-08-18-14-47-00.bpo-34424.wAlRuS.rst +new file mode 100644 +index 0000000..2b384cd +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2018-08-18-14-47-00.bpo-34424.wAlRuS.rst +@@ -0,0 +1,2 @@ ++Fix serialization of messages containing encoded strings when the ++policy.linesep is set to a multi-character string. Patch by Jens Troeger. +diff --git a/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst +new file mode 100644 +index 0000000..e6333e7 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst +@@ -0,0 +1,4 @@ ++:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers ++that are unsafely folded or delimited; see ++:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas ++Bloemsaat and Petr Viktorin in :gh:`121650`). +-- +2.52.0 + diff --git a/python3.spec b/python3.spec index 2e44a34..23b6bfe 100644 --- a/python3.spec +++ b/python3.spec @@ -14,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 72%{?dist} +Release: 73%{?dist} License: Python @@ -948,6 +948,46 @@ Patch467: 00467-tarfile-cve-2025-8194.patch # * gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794) Patch471: 00471-cve-2025-12084.patch +# 00473 # +# CVE-2026-0865 +# +# gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) +# +# * Add 'test.support' fixture for C0 control characters +# * gh-143916: Reject control characters in wsgiref.headers.Headers +Patch473: 00473-cve-2026-0865.patch + +# 00474 # +# CVE-2025-15366 +# +# gh-143921: Reject control characters in IMAP commands +# +# (cherry-picked from commit 6262704b134db2a4ba12e85ecfbd968534f28b45) +Patch474: 00474-cve-2025-15366.patch + +# 00475 # +# CVE-2025-15367 +# +# gh-143923: Reject control characters in POP3 commands +# +# (cherry-picked from commit b234a2b67539f787e191d2ef19a7cbdce32874e7) +Patch475: 00475-cve-2025-15367.patch + +# 00476 # +# CVE-2026-1299 +# +# gh-144125: email: verify headers are sound in BytesGenerator +# +# +# +# The fix for the CVE uncovered a known issue in handling +# policy.linesep lengths fixed by: +# +# bpo-34424: Handle different policy.linesep lengths correctly. (#8803) +# +# (cherry-picked from commit 45b2f8893c1b7ab3b3981a966f82e42beea82106) +Patch476: 00476-cve-2026-1299.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1320,6 +1360,10 @@ GIT_DIR=$PWD git apply %{PATCH351} %patch465 -p1 %patch467 -p1 %patch471 -p1 +%patch473 -p1 +%patch474 -p1 +%patch475 -p1 +%patch476 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -2251,6 +2295,10 @@ fi # ====================================================== %changelog +* Thu Jan 29 2026 Lumír Balhar - 3.6.8-73 +- Security fixes for CVE-2026-0865, CVE-2025-15366, CVE-2025-15367, CVE-2026-1299 +Resolves: RHEL-143063, RHEL-143120, RHEL-144860 + * Tue Jan 06 2026 Lumír Balhar - 3.6.8-72 - Security fix for CVE-2025-12084 Resolves: RHEL-135911