rpms/python3
7
0
Fork 0
Code Issues Pull Requests Releases Activity
ddf314d2b9
python3/00475-cve-2025-15367.patch
Lumir Balhar ddf314d2b9 Security fixes for CVE-2026-0865, CVE-2025-15366, CVE-2025-15367, CVE-2026-1299 
Resolves: RHEL-143063, RHEL-143120, RHEL-144860
2026-02-02 12:42:47 +01:00

62 lines
2.3 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Tue, 20 Jan 2026 14:46:32 -0600
Subject: 00475: CVE-2025-15367
gh-143923: Reject control characters in POP3 commands
(cherry-picked from commit b234a2b67539f787e191d2ef19a7cbdce32874e7)
---
Lib/poplib.py | 2 ++
Lib/test/test_poplib.py | 8 ++++++++
.../2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst | 1 +
3 files changed, 11 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
diff --git a/Lib/poplib.py b/Lib/poplib.py
index 9796f0d2f9..64690628fe 100644
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@@ -117,6 +117,8 @@ class POP3:
def _putcmd(self, line):
if self._debugging: print('*cmd*', repr(line))
line = bytes(line, self.encoding)
+ if re.search(b'[\x00-\x1F\x7F]', line):
+ raise ValueError('Control characters not allowed in commands')
self._putline(line)
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
index 234c855545..18b8c191ab 100644
--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@@ -12,6 +12,7 @@ import errno
from unittest import TestCase, skipUnless
from test import support as test_support
+from test.support import control_characters_c0
threading = test_support.import_module('threading')
HOST = test_support.HOST
@@ -349,6 +350,13 @@ class TestPOP3Class(TestCase):
self.assertIsNone(self.client.sock)
self.assertIsNone(self.client.file)
+ def test_control_characters(self):
+ for c0 in control_characters_c0():
+ with self.assertRaises(ValueError):
+ self.client.user(f'user{c0}')
+ with self.assertRaises(ValueError):
+ self.client.pass_(f'{c0}pass')
+
@requires_ssl
def test_stls_capa(self):
capa = self.client.capa()
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
new file mode 100644
index 0000000000..3cde4df3e0
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
@@ -0,0 +1 @@
+Reject control characters in POP3 commands.
Reference in New Issue View Git Blame Copy Permalink