[AutoPR- Security] Patch python3 for CVE-2026-1299, CVE-2026-0672 [MEDIUM] (#15600)

azurelinux-security · Kanishk-Bansal · web-flow · commit 37c61594feb9 · 2026-01-30T15:53:13.000+05:30
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/python3/CVE-2026-0672.patch b/SPECS/python3/CVE-2026-0672.patch
@@ -0,0 +1,189 @@
+From a86828435272a1f33327aff7931b14b44026ca6f Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 20 Jan 2026 15:23:42 -0600
+Subject: [PATCH] gh-143919: Reject control characters in http cookies (cherry
+ picked from commit 95746b3a13a985787ef53b977129041971ed7f70)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Bartosz Sławecki <bartosz@ilikepython.com>
+Co-authored-by: sobolevn <mail@sobolevn.me>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/python/cpython/pull/144094.patch
+---
+ Doc/library/http.cookies.rst                  |  4 +-
+ Lib/http/cookies.py                           | 25 +++++++--
+ Lib/test/test_http_cookies.py                 | 52 +++++++++++++++++--
+ ...-01-16-11-13-15.gh-issue-143919.kchwZV.rst |  1 +
+ 4 files changed, 73 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
+
+diff --git a/Doc/library/http.cookies.rst b/Doc/library/http.cookies.rst
+index 17792b2..07c1a68 100644
+--- a/Doc/library/http.cookies.rst
++++ b/Doc/library/http.cookies.rst
+@@ -270,9 +270,9 @@ The following example demonstrates how to use the :mod:`http.cookies` module.
+    Set-Cookie: chips=ahoy
+    Set-Cookie: vienna=finger
+    >>> C = cookies.SimpleCookie()
+-   >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
++   >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";')
+    >>> print(C)
+-   Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
++   Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;"
+    >>> C = cookies.SimpleCookie()
+    >>> C["oreo"] = "doublestuff"
+    >>> C["oreo"]["path"] = "/"
+diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
+index 2c1f021..5cfa7a8 100644
+--- a/Lib/http/cookies.py
++++ b/Lib/http/cookies.py
+@@ -87,9 +87,9 @@ within a string.  Escaped quotation marks, nested semicolons, and other
+ such trickeries do not confuse it.
+ 
+    >>> C = cookies.SimpleCookie()
+-   >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
++   >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";')
+    >>> print(C)
+-   Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
++   Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;"
+ 
+ Each element of the Cookie also supports all of the RFC 2109
+ Cookie attributes.  Here's an example which sets the Path
+@@ -170,6 +170,15 @@ _Translator.update({
+ })
+ 
+ _is_legal_key = re.compile('[%s]+' % re.escape(_LegalChars)).fullmatch
++_control_character_re = re.compile(r'[\x00-\x1F\x7F]')
++
++
++def _has_control_character(*val):
++    """Detects control characters within a value.
++    Supports any type, as header values can be any type.
++    """
++    return any(_control_character_re.search(str(v)) for v in val)
++
+ 
+ def _quote(str):
+     r"""Quote a string for use in a cookie header.
+@@ -292,12 +301,16 @@ class Morsel(dict):
+         K = K.lower()
+         if not K in self._reserved:
+             raise CookieError("Invalid attribute %r" % (K,))
++        if _has_control_character(K, V):
++            raise CookieError(f"Control characters are not allowed in cookies {K!r} {V!r}")
+         dict.__setitem__(self, K, V)
+ 
+     def setdefault(self, key, val=None):
+         key = key.lower()
+         if key not in self._reserved:
+             raise CookieError("Invalid attribute %r" % (key,))
++        if _has_control_character(key, val):
++            raise CookieError("Control characters are not allowed in cookies %r %r" % (key, val,))
+         return dict.setdefault(self, key, val)
+ 
+     def __eq__(self, morsel):
+@@ -333,6 +346,9 @@ class Morsel(dict):
+             raise CookieError('Attempt to set a reserved key %r' % (key,))
+         if not _is_legal_key(key):
+             raise CookieError('Illegal key %r' % (key,))
++        if _has_control_character(key, val, coded_val):
++            raise CookieError(
++                "Control characters are not allowed in cookies %r %r %r" % (key, val, coded_val,))
+ 
+         # It's a good key, so save it.
+         self._key = key
+@@ -484,7 +500,10 @@ class BaseCookie(dict):
+         result = []
+         items = sorted(self.items())
+         for key, value in items:
+-            result.append(value.output(attrs, header))
++            value_output = value.output(attrs, header)
++            if _has_control_character(value_output):
++                raise CookieError("Control characters are not allowed in cookies")
++            result.append(value_output)
+         return sep.join(result)
+ 
+     __str__ = output
+diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
+index 644e75c..1f2c049 100644
+--- a/Lib/test/test_http_cookies.py
++++ b/Lib/test/test_http_cookies.py
+@@ -17,10 +17,10 @@ class CookieTests(unittest.TestCase):
+              'repr': "<SimpleCookie: chips='ahoy' vienna='finger'>",
+              'output': 'Set-Cookie: chips=ahoy\nSet-Cookie: vienna=finger'},
+ 
+-            {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"',
+-             'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=\012;'},
+-             'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=\\n;'>''',
+-             'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"'},
++            {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=;"',
++             'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=;'},
++             'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=;'>''',
++             'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=;"'},
+ 
+             # Check illegal cookies that have an '=' char in an unquoted value
+             {'data': 'keebler=E=mc2',
+@@ -517,6 +517,50 @@ class MorselTests(unittest.TestCase):
+                 r'Set-Cookie: key=coded_val; '
+                 r'expires=\w+, \d+ \w+ \d+ \d+:\d+:\d+ \w+')
+ 
++    def test_control_characters(self):
++        for c0 in support.control_characters_c0():
++            morsel = cookies.Morsel()
++
++            # .__setitem__()
++            with self.assertRaises(cookies.CookieError):
++                morsel[c0] = "val"
++            with self.assertRaises(cookies.CookieError):
++                morsel["path"] = c0
++
++            # .setdefault()
++            with self.assertRaises(cookies.CookieError):
++                morsel.setdefault("path", c0)
++            with self.assertRaises(cookies.CookieError):
++                morsel.setdefault(c0, "val")
++
++            # .set()
++            with self.assertRaises(cookies.CookieError):
++                morsel.set(c0, "val", "coded-value")
++            with self.assertRaises(cookies.CookieError):
++                morsel.set("path", c0, "coded-value")
++            with self.assertRaises(cookies.CookieError):
++                morsel.set("path", "val", c0)
++
++    def test_control_characters_output(self):
++        # Tests that even if the internals of Morsel are modified
++        # that a call to .output() has control character safeguards.
++        for c0 in support.control_characters_c0():
++            morsel = cookies.Morsel()
++            morsel.set("key", "value", "coded-value")
++            morsel._key = c0  # Override private variable.
++            cookie = cookies.SimpleCookie()
++            cookie["cookie"] = morsel
++            with self.assertRaises(cookies.CookieError):
++                cookie.output()
++
++            morsel = cookies.Morsel()
++            morsel.set("key", "value", "coded-value")
++            morsel._coded_value = c0  # Override private variable.
++            cookie = cookies.SimpleCookie()
++            cookie["cookie"] = morsel
++            with self.assertRaises(cookies.CookieError):
++                cookie.output()
++
+ def test_main():
+     run_unittest(CookieTests, MorselTests)
+     run_doctest(cookies)
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
+new file mode 100644
+index 0000000..788c3e4
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
+@@ -0,0 +1 @@
++Reject control characters in :class:`http.cookies.Morsel` fields and values.
+-- 
+2.45.4
+
diff --git a/SPECS/python3/CVE-2026-1299.patch b/SPECS/python3/CVE-2026-1299.patch
@@ -0,0 +1,110 @@
+From 04a864ee5032269b1b2756da7d59ffed5d21e12e Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 23 Jan 2026 08:59:35 -0600
+Subject: [PATCH] gh-144125: email: verify headers are sound in BytesGenerator
+ (cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Denis Ledoux <dle@odoo.com>
+Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com>
+Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com>
+Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/python/cpython/pull/144180.patch
+---
+ Lib/email/generator.py                               | 12 +++++++++++-
+ Lib/test/test_email/test_generator.py                |  4 +++-
+ Lib/test/test_email/test_policy.py                   |  6 +++++-
+ .../2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst   |  4 ++++
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+
+diff --git a/Lib/email/generator.py b/Lib/email/generator.py
+index 89224ae..98cc4a0 100644
+--- a/Lib/email/generator.py
++++ b/Lib/email/generator.py
+@@ -22,6 +22,7 @@ NL = '\n'  # XXX: no longer used by the code below.
+ NLCRE = re.compile(r'\r\n|\r|\n')
+ fcre = re.compile(r'^From ', re.MULTILINE)
+ NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
++NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
+ 
+ 
+ 
+@@ -430,7 +431,16 @@ class BytesGenerator(Generator):
+         # This is almost the same as the string version, except for handling
+         # strings with 8bit bytes.
+         for h, v in msg.raw_items():
+-            self._fp.write(self.policy.fold_binary(h, v))
++            folded = self.policy.fold_binary(h, v)
++            if self.policy.verify_generated_headers:
++                linesep = self.policy.linesep.encode()
++                if not folded.endswith(linesep):
++                    raise HeaderWriteError(
++                        f'folded header does not end with {linesep!r}: {folded!r}')
++                if NEWLINE_WITHOUT_FWSP_BYTES.search(folded.removesuffix(linesep)):
++                    raise HeaderWriteError(
++                        f'folded header contains newline: {folded!r}')
++            self._fp.write(folded)
+         # A blank line always separates headers from body
+         self.write(self._NL)
+ 
+diff --git a/Lib/test/test_email/test_generator.py b/Lib/test/test_email/test_generator.py
+index d29400f..a641f87 100644
+--- a/Lib/test/test_email/test_generator.py
++++ b/Lib/test/test_email/test_generator.py
+@@ -264,7 +264,7 @@ class TestGenerator(TestGeneratorBase, TestEmailBase):
+     typ = str
+ 
+     def test_verify_generated_headers(self):
+-        """gh-121650: by default the generator prevents header injection"""
++        # gh-121650: by default the generator prevents header injection
+         class LiteralHeader(str):
+             name = 'Header'
+             def fold(self, **kwargs):
+@@ -285,6 +285,8 @@ class TestGenerator(TestGeneratorBase, TestEmailBase):
+ 
+                 with self.assertRaises(email.errors.HeaderWriteError):
+                     message.as_string()
++                with self.assertRaises(email.errors.HeaderWriteError):
++                    message.as_bytes()
+ 
+ 
+ class TestBytesGenerator(TestGeneratorBase, TestEmailBase):
+diff --git a/Lib/test/test_email/test_policy.py b/Lib/test/test_email/test_policy.py
+index ff1ddf7..d4a5eb3 100644
+--- a/Lib/test/test_email/test_policy.py
++++ b/Lib/test/test_email/test_policy.py
+@@ -279,7 +279,7 @@ class PolicyAPITests(unittest.TestCase):
+                     policy.fold("Subject", subject)
+ 
+     def test_verify_generated_headers(self):
+-        """Turning protection off allows header injection"""
++        # Turning protection off allows header injection
+         policy = email.policy.default.clone(verify_generated_headers=False)
+         for text in (
+             'Header: Value\r\nBad: Injection\r\n',
+@@ -302,6 +302,10 @@ class PolicyAPITests(unittest.TestCase):
+                     message.as_string(),
+                     f"{text}\nBody",
+                 )
++                self.assertEqual(
++                    message.as_bytes(),
++                    f"{text}\nBody".encode(),
++                )
+ 
+     # XXX: Need subclassing tests.
+     # For adding subclassed objects, make sure the usual rules apply (subclass
+diff --git a/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+new file mode 100644
+index 0000000..e6333e7
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+@@ -0,0 +1,4 @@
++:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers
++that are unsafely folded or delimited; see
++:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
++Bloemsaat and Petr Viktorin in :gh:`121650`).
+-- 
+2.45.4
+
diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec
@@ -12,7 +12,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.9.19
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -39,6 +39,8 @@ Patch15:        CVE-2025-4138.patch
 Patch16:        CVE-2025-8194.patch
 Patch17:        CVE-2025-8291.patch
 Patch18:        CVE-2025-6075.patch
+Patch19:        CVE-2026-0672.patch
+Patch20:        CVE-2026-1299.patch
 
 # Patch for setuptools, resolved in 65.5.1
 Patch1000:      CVE-2022-40897.patch
@@ -204,6 +206,8 @@ The test package contains all regression tests for Python as well as the modules
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
+%patch19 -p1
+%patch20 -p1
 
 %build
 # Remove GCC specs and build environment linker scripts
@@ -379,6 +383,9 @@ make test TESTOPTS="-x test_multiprocessing_spawn -x test_socket -x test_email"
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Wed Jan 28 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.9.19-18
+- Patch for CVE-2026-1299, CVE-2026-0672
+
 * Tue Nov 04 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.9.19-17
 - Patch for CVE-2025-6075
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-25.cm2.noarch.rpm
 ca-certificates-2.0.0-25.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
 unzip-6.0-22.cm2.aarch64.rpm
-python3-3.9.19-17.cm2.aarch64.rpm
-python3-devel-3.9.19-17.cm2.aarch64.rpm
-python3-libs-3.9.19-17.cm2.aarch64.rpm
-python3-setuptools-3.9.19-17.cm2.noarch.rpm
+python3-3.9.19-18.cm2.aarch64.rpm
+python3-devel-3.9.19-18.cm2.aarch64.rpm
+python3-libs-3.9.19-18.cm2.aarch64.rpm
+python3-setuptools-3.9.19-18.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.aarch64.rpm
 libselinux-3.2-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-25.cm2.noarch.rpm
 ca-certificates-2.0.0-25.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
 unzip-6.0-22.cm2.x86_64.rpm
-python3-3.9.19-17.cm2.x86_64.rpm
-python3-devel-3.9.19-17.cm2.x86_64.rpm
-python3-libs-3.9.19-17.cm2.x86_64.rpm
-python3-setuptools-3.9.19-17.cm2.noarch.rpm
+python3-3.9.19-18.cm2.x86_64.rpm
+python3-devel-3.9.19-18.cm2.x86_64.rpm
+python3-libs-3.9.19-18.cm2.x86_64.rpm
+python3-setuptools-3.9.19-18.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.x86_64.rpm
 libselinux-3.2-1.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
