Page MenuHomeFreeBSD

D57718.diff
No OneTemporary

D57718.diff

Index: lang/python314/Makefile
===================================================================
--- lang/python314/Makefile
+++ lang/python314/Makefile
@@ -1,5 +1,6 @@
PORTNAME= python
DISTVERSION= ${PYTHON_DISTVERSION}
+PORTREVISION= 1
CATEGORIES= lang python
MASTER_SITES= PYTHON/ftp/python/${DISTVERSION:C/[a-z].*//}
PKGNAMESUFFIX= ${PYTHON_BASESUFFIX}${THREADFLAG}
Index: lang/python314/files/patch-CVE-2025-15366
===================================================================
--- /dev/null
+++ lang/python314/files/patch-CVE-2025-15366
@@ -0,0 +1,39 @@
+--- Lib/imaplib.py.orig
++++ Lib/imaplib.py
+@@ -131,7 +131,7 @@
+ # We compile these in _mode_xxx.
+ _Literal = br'.*{(?P<size>\d+)}$'
+ _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
+-
++_control_chars = re.compile(b'[\x00-\x1F\x7F]')
+
+
+ class IMAP4:
+@@ -1108,6 +1108,8 @@ def _command(self, name, *args):
+ if arg is None: continue
+ if isinstance(arg, str):
+ arg = bytes(arg, self._encoding)
++ if _control_chars.search(arg):
++ raise ValueError("Control characters not allowed in commands")
+ data = data + b' ' + arg
+
+ literal = self.literal
+--- Lib/test/test_imaplib.py.orig
++++ Lib/test/test_imaplib.py
+@@ -673,6 +673,12 @@ def test_unselect(self):
+ self.assertEqual(data[0], b'Returned to authenticated state. (Success)')
+ self.assertEqual(client.state, 'AUTH')
+
++ def test_control_characters(self):
++ client, _ = self._setup(SimpleIMAPHandler)
++ for c0 in support.control_characters_c0():
++ with self.assertRaises(ValueError):
++ client.login(f'user{c0}', 'pass')
++
+ # property tests
+
+ def test_file_property_should_not_be_accessed(self):
+--- /dev/null
++++ Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+@@ -0,0 +1 @@
++Reject control characters in IMAP commands.
Index: lang/python314/files/patch-CVE-2025-15367
===================================================================
--- /dev/null
+++ lang/python314/files/patch-CVE-2025-15367
@@ -0,0 +1,41 @@
+--- Lib/poplib.py.orig
++++ Lib/poplib.py
+@@ -122,6 +122,8 @@ def _putline(self, line):
+ def _putcmd(self, line):
+ if self._debugging: print('*cmd*', repr(line))
+ line = bytes(line, self.encoding)
++ if re.search(b'[\x00-\x1F\x7F]', line):
++ raise ValueError('Control characters not allowed in commands')
+ self._putline(line)
+
+
+diff --git Lib/test/test_poplib.py Lib/test/test_poplib.py
+index ef2da97f867..18ca7cb5568 100644
+--- Lib/test/test_poplib.py.orig
++++ Lib/test/test_poplib.py
+@@ -17,6 +17,7 @@
+ from test.support import threading_helper
+ from test.support import asynchat
+ from test.support import asyncore
++from test.support import control_characters_c0
+
+
+ test_support.requires_working_socket(module=True)
+@@ -395,6 +396,13 @@ def test_quit(self):
+ self.assertIsNone(self.client.sock)
+ self.assertIsNone(self.client.file)
+
++ def test_control_characters(self):
++ for c0 in control_characters_c0():
++ with self.assertRaises(ValueError):
++ self.client.user(f'user{c0}')
++ with self.assertRaises(ValueError):
++ self.client.pass_(f'{c0}pass')
++
+ @requires_ssl
+ def test_stls_capa(self):
+ capa = self.client.capa()
+--- /dev/null
++++ Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+@@ -0,0 +1 @@
++Reject control characters in POP3 commands.
Index: security/vuxml/vuln/2026.xml
===================================================================
--- security/vuxml/vuln/2026.xml
+++ security/vuxml/vuln/2026.xml
@@ -9144,8 +9144,8 @@
<package><name>python312</name> <range><ge>0</ge></range></package>
<package><name>python313</name> <range><lt>3.13.14_1</lt></range></package>
<package><name>python313t</name> <range><lt>3.13.14_1</lt></range></package>
- <package><name>python314</name> <range><ge>0</ge></range></package>
- <package><name>python314t</name> <range><ge>0</ge></range></package>
+ <package><name>python314</name> <range><lt>3.14.6_1</lt></range></package>
+ <package><name>python314t</name> <range><lt>3.14.6_1</lt></range></package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -9176,8 +9176,8 @@
<package><name>python312</name> <range><ge>0</ge></range></package>
<package><name>python313</name> <range><lt>3.13.14_1</lt></range></package>
<package><name>python313t</name> <range><lt>3.13.14_1</lt></range></package>
- <package><name>python314</name> <range><ge>0</ge></range></package>
- <package><name>python314t</name> <range><ge>0</ge></range></package>
+ <package><name>python314</name> <range><lt>3.14.6_1</lt></range></package>
+ <package><name>python314t</name> <range><lt>3.14.6_1</lt></range></package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">

File Metadata

Mime Type
text/plain
Expires
Sun, Jul 19, 3:16 PM (6 h, 43 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
35237944
Default Alt Text
D57718.diff (4 KB)

Event Timeline