Page MenuHomeFreeBSD
Files F160421468

D57717.id180201.diff
No OneTemporary
Actions

D57717.id180201.diff
View Options

Index: lang/python313/Makefile
===================================================================
--- lang/python313/Makefile
+++ lang/python313/Makefile
@@ -1,5 +1,6 @@
PORTNAME= python
DISTVERSION= ${PYTHON_DISTVERSION}
+PORTREVISION= 1
CATEGORIES= lang python
MASTER_SITES= PYTHON/ftp/python/${DISTVERSION:C/[a-z].*//}
PKGNAMESUFFIX= ${PYTHON_BASESUFFIX}${THREADFLAG}
Index: lang/python313/files/patch-CVE-2025-15366
===================================================================
--- /dev/null
+++ lang/python313/files/patch-CVE-2025-15366
@@ -0,0 +1,39 @@
+--- Lib/imaplib.py.orig
++++ Lib/imaplib.py
+@@ -132,7 +132,7 @@
+ # We compile these in _mode_xxx.
+ _Literal = br'.*{(?P<size>\d+)}$'
+ _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
+-
++_control_chars = re.compile(b'[\x00-\x1F\x7F]')
+
+
+ class IMAP4:
+@@ -1000,6 +1000,8 @@ def _command(self, name, *args):
+ if arg is None: continue
+ if isinstance(arg, str):
+ arg = bytes(arg, self._encoding)
++ if _control_chars.search(arg):
++ raise ValueError("Control characters not allowed in commands")
+ data = data + b' ' + arg
+
+ literal = self.literal
+--- Lib/test/test_imaplib.py.orig
++++ Lib/test/test_imaplib.py
+@@ -558,6 +558,12 @@ def test_unselect(self):
+ self.assertEqual(data[0], b'Returned to authenticated state. (Success)')
+ self.assertEqual(client.state, 'AUTH')
+
++ def test_control_characters(self):
++ client, _ = self._setup(SimpleIMAPHandler)
++ for c0 in support.control_characters_c0():
++ with self.assertRaises(ValueError):
++ client.login(f'user{c0}', 'pass')
++
+
+ class NewIMAPTests(NewIMAPTestsMixin, unittest.TestCase):
+ imap_class = imaplib.IMAP4
+--- /dev/null
++++ Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+@@ -0,0 +1 @@
++Reject control characters in IMAP commands.
Index: lang/python313/files/patch-CVE-2025-15367
===================================================================
--- /dev/null
+++ lang/python313/files/patch-CVE-2025-15367
@@ -0,0 +1,39 @@
+--- Lib/poplib.py.orig
++++ Lib/poplib.py
+@@ -122,6 +122,8 @@ def _putline(self, line):
+ def _putcmd(self, line):
+ if self._debugging: print('*cmd*', repr(line))
+ line = bytes(line, self.encoding)
++ if re.search(b'[\x00-\x1F\x7F]', line):
++ raise ValueError('Control characters not allowed in commands')
+ self._putline(line)
+
+
+--- Lib/test/test_poplib.py.orig
++++ Lib/test/test_poplib.py
+@@ -17,6 +17,7 @@
+ from test.support import threading_helper
+ from test.support import asynchat
+ from test.support import asyncore
++from test.support import control_characters_c0
+ from test.support.testcase import ExtraAssertions
+
+
+@@ -396,6 +397,13 @@ def test_quit(self):
+ self.assertIsNone(self.client.sock)
+ self.assertIsNone(self.client.file)
+
++ def test_control_characters(self):
++ for c0 in control_characters_c0():
++ with self.assertRaises(ValueError):
++ self.client.user(f'user{c0}')
++ with self.assertRaises(ValueError):
++ self.client.pass_(f'{c0}pass')
++
+ @requires_ssl
+ def test_stls_capa(self):
+ capa = self.client.capa()
+--- /dev/null
++++ Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+@@ -0,0 +1 @@
++Reject control characters in POP3 commands.
Index: security/vuxml/vuln/2026.xml
===================================================================
--- security/vuxml/vuln/2026.xml
+++ security/vuxml/vuln/2026.xml
@@ -9142,8 +9142,8 @@
<package><name>python310</name> <range><ge>0</ge></range></package>
<package><name>python311</name> <range><ge>0</ge></range></package>
<package><name>python312</name> <range><ge>0</ge></range></package>
- <package><name>python313</name> <range><ge>0</ge></range></package>
- <package><name>python313t</name> <range><ge>0</ge></range></package>
+ <package><name>python313</name> <range><lt>3.13.14_1</lt></range></package>
+ <package><name>python313t</name> <range><lt>3.13.14_1</lt></range></package>
<package><name>python314</name> <range><ge>0</ge></range></package>
<package><name>python314t</name> <range><ge>0</ge></range></package>
</affects>
@@ -9174,8 +9174,8 @@
<package><name>python310</name> <range><ge>0</ge></range></package>
<package><name>python311</name> <range><ge>0</ge></range></package>
<package><name>python312</name> <range><ge>0</ge></range></package>
- <package><name>python313</name> <range><ge>0</ge></range></package>
- <package><name>python313t</name> <range><ge>0</ge></range></package>
+ <package><name>python313</name> <range><lt>3.13.14_1</lt></range></package>
+ <package><name>python313t</name> <range><lt>3.13.14_1</lt></range></package>
<package><name>python314</name> <range><ge>0</ge></range></package>
<package><name>python314t</name> <range><ge>0</ge></range></package>
</affects>

File Metadata

Mime Type
text/plain
Expires
Thu, Jun 25, 7:39 AM (13 h, 8 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
34312045
Default Alt Text
D57717.id180201.diff (5 KB)

Event Timeline