Page Menu
Home
FreeBSD
Search
Configure Global Search
Log In
Files
F162949931
D57718.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
4 KB
Referenced Files
None
Subscribers
None
D57718.diff
View Options
Index: lang/python314/Makefile
===================================================================
--- lang/python314/Makefile
+++ lang/python314/Makefile
@@ -1,5 +1,6 @@
PORTNAME= python
DISTVERSION= ${PYTHON_DISTVERSION}
+PORTREVISION= 1
CATEGORIES= lang python
MASTER_SITES= PYTHON/ftp/python/${DISTVERSION:C/[a-z].*//}
PKGNAMESUFFIX= ${PYTHON_BASESUFFIX}${THREADFLAG}
Index: lang/python314/files/patch-CVE-2025-15366
===================================================================
--- /dev/null
+++ lang/python314/files/patch-CVE-2025-15366
@@ -0,0 +1,39 @@
+--- Lib/imaplib.py.orig
++++ Lib/imaplib.py
+@@ -131,7 +131,7 @@
+ # We compile these in _mode_xxx.
+ _Literal = br'.*{(?P<size>\d+)}$'
+ _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
+-
++_control_chars = re.compile(b'[\x00-\x1F\x7F]')
+
+
+ class IMAP4:
+@@ -1108,6 +1108,8 @@ def _command(self, name, *args):
+ if arg is None: continue
+ if isinstance(arg, str):
+ arg = bytes(arg, self._encoding)
++ if _control_chars.search(arg):
++ raise ValueError("Control characters not allowed in commands")
+ data = data + b' ' + arg
+
+ literal = self.literal
+--- Lib/test/test_imaplib.py.orig
++++ Lib/test/test_imaplib.py
+@@ -673,6 +673,12 @@ def test_unselect(self):
+ self.assertEqual(data[0], b'Returned to authenticated state. (Success)')
+ self.assertEqual(client.state, 'AUTH')
+
++ def test_control_characters(self):
++ client, _ = self._setup(SimpleIMAPHandler)
++ for c0 in support.control_characters_c0():
++ with self.assertRaises(ValueError):
++ client.login(f'user{c0}', 'pass')
++
+ # property tests
+
+ def test_file_property_should_not_be_accessed(self):
+--- /dev/null
++++ Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+@@ -0,0 +1 @@
++Reject control characters in IMAP commands.
Index: lang/python314/files/patch-CVE-2025-15367
===================================================================
--- /dev/null
+++ lang/python314/files/patch-CVE-2025-15367
@@ -0,0 +1,41 @@
+--- Lib/poplib.py.orig
++++ Lib/poplib.py
+@@ -122,6 +122,8 @@ def _putline(self, line):
+ def _putcmd(self, line):
+ if self._debugging: print('*cmd*', repr(line))
+ line = bytes(line, self.encoding)
++ if re.search(b'[\x00-\x1F\x7F]', line):
++ raise ValueError('Control characters not allowed in commands')
+ self._putline(line)
+
+
+diff --git Lib/test/test_poplib.py Lib/test/test_poplib.py
+index ef2da97f867..18ca7cb5568 100644
+--- Lib/test/test_poplib.py.orig
++++ Lib/test/test_poplib.py
+@@ -17,6 +17,7 @@
+ from test.support import threading_helper
+ from test.support import asynchat
+ from test.support import asyncore
++from test.support import control_characters_c0
+
+
+ test_support.requires_working_socket(module=True)
+@@ -395,6 +396,13 @@ def test_quit(self):
+ self.assertIsNone(self.client.sock)
+ self.assertIsNone(self.client.file)
+
++ def test_control_characters(self):
++ for c0 in control_characters_c0():
++ with self.assertRaises(ValueError):
++ self.client.user(f'user{c0}')
++ with self.assertRaises(ValueError):
++ self.client.pass_(f'{c0}pass')
++
+ @requires_ssl
+ def test_stls_capa(self):
+ capa = self.client.capa()
+--- /dev/null
++++ Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+@@ -0,0 +1 @@
++Reject control characters in POP3 commands.
Index: security/vuxml/vuln/2026.xml
===================================================================
--- security/vuxml/vuln/2026.xml
+++ security/vuxml/vuln/2026.xml
@@ -9144,8 +9144,8 @@
<package><name>python312</name> <range><ge>0</ge></range></package>
<package><name>python313</name> <range><lt>3.13.14_1</lt></range></package>
<package><name>python313t</name> <range><lt>3.13.14_1</lt></range></package>
- <package><name>python314</name> <range><ge>0</ge></range></package>
- <package><name>python314t</name> <range><ge>0</ge></range></package>
+ <package><name>python314</name> <range><lt>3.14.6_1</lt></range></package>
+ <package><name>python314t</name> <range><lt>3.14.6_1</lt></range></package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -9176,8 +9176,8 @@
<package><name>python312</name> <range><ge>0</ge></range></package>
<package><name>python313</name> <range><lt>3.13.14_1</lt></range></package>
<package><name>python313t</name> <range><lt>3.13.14_1</lt></range></package>
- <package><name>python314</name> <range><ge>0</ge></range></package>
- <package><name>python314t</name> <range><ge>0</ge></range></package>
+ <package><name>python314</name> <range><lt>3.14.6_1</lt></range></package>
+ <package><name>python314t</name> <range><lt>3.14.6_1</lt></range></package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sun, Jul 19, 3:16 PM (6 h, 43 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
35237944
Default Alt Text
D57718.diff (4 KB)
Attached To
Mode
D57718: lang/python314: Backport two security fixes
Attached
Detach File
Event Timeline
Log In to Comment