Skip to content

Commit f9a9a89

Browse files
CBL-Mariner-Botv-smalavathu
CBL-Mariner-Bot
and
v-smalavathu
authored
[AUTO-CHERRYPICK] [Low] Patch python3 for CVE-2025-1795 - branch main (#13335)
Co-authored-by: Sreenivasulu Malavathula (HCL Technologies Ltd) <v-smalavathu@microsoft.com>
1 parent d01332e commit f9a9a89

6 files changed

Lines changed: 82 additions & 27 deletions

File tree

SPECS/python3/CVE-2025-1795.patch

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
From 93144627af290c12f4aee722687ad27dc858cf96 Mon Sep 17 00:00:00 2001
2+
From: Sreenivasulu Malavathula <v-smalavathu@microsoft.com>
3+
Date: Thu, 6 Mar 2025 20:18:02 -0600
4+
Subject: [PATCH] Address CVE-2025-1795
5+
6+
---
7+
Lib/email/_header_value_parser.py | 3 ++-
8+
Lib/test/test_email/test__header_value_parser.py | 5 +++++
9+
2 files changed, 7 insertions(+), 1 deletion(-)
10+
11+
diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
12+
index e394cfd..8a0295a 100644
13+
--- a/Lib/email/_header_value_parser.py
14+
+++ b/Lib/email/_header_value_parser.py
15+
@@ -951,6 +951,7 @@ class _InvalidEwError(errors.HeaderParseError):
16+
# up other parse trees. Maybe should have tests for that, too.
17+
DOT = ValueTerminal('.', 'dot')
18+
ListSeparator = ValueTerminal(',', 'list-separator')
19+
+ListSeparator.as_ew_allowed = False
20+
RouteComponentMarker = ValueTerminal('@', 'route-component-marker')
21+
22+
#
23+
@@ -2024,7 +2025,7 @@ def get_address_list(value):
24+
address_list.defects.append(errors.InvalidHeaderDefect(
25+
"invalid address in address-list"))
26+
if value: # Must be a , at this point.
27+
- address_list.append(ValueTerminal(',', 'list-separator'))
28+
+ address_list.append(ListSeparator)
29+
value = value[1:]
30+
return address_list, value
31+
32+
diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py
33+
index 854f2ff..7063ce7 100644
34+
--- a/Lib/test/test_email/test__header_value_parser.py
35+
+++ b/Lib/test/test_email/test__header_value_parser.py
36+
@@ -2946,6 +2946,11 @@ class TestFolding(TestEmailBase):
37+
'=?utf-8?q?H=C3=BCbsch?= Kaktus <beautiful@example.com>,\n'
38+
' =?utf-8?q?bei=C3=9Ft_bei=C3=9Ft?= <biter@example.com>\n')
39+
40+
+ def test_address_list_with_list_separator_after_fold(self):
41+
+ to = '0123456789' * 8 + '@foo, ä <foo@bar>'
42+
+ self._test(parser.get_address_list(to)[0],
43+
+ '0123456789' * 8 + '@foo,\n =?utf-8?q?=C3=A4?= <foo@bar>\n')
44+
+
45+
# XXX Need tests with comments on various sides of a unicode token,
46+
# and with unicode tokens in the comments. Spaces inside the quotes
47+
# currently don't do the right thing.
48+
--
49+
2.45.2
50+

SPECS/python3/python3.spec

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
Summary: A high-level scripting language
1313
Name: python3
1414
Version: 3.9.19
15-
Release: 11%{?dist}
15+
Release: 12%{?dist}
1616
License: PSF
1717
Vendor: Microsoft Corporation
1818
Distribution: Mariner
@@ -32,6 +32,7 @@ Patch8: CVE-2024-6923.patch
3232
Patch9: CVE-2023-27043.patch
3333
Patch10: CVE-2025-0938.patch
3434
Patch11: CVE-2024-9287.patch
35+
Patch12: CVE-2025-1795.patch
3536
# Patch for setuptools, resolved in 65.5.1
3637
Patch1000: CVE-2022-40897.patch
3738
Patch1001: CVE-2024-6345.patch
@@ -181,6 +182,7 @@ The test package contains all regression tests for Python as well as the modules
181182
%patch9 -p1
182183
%patch10 -p1
183184
%patch11 -p1
185+
%patch12 -p1
184186

185187
%build
186188
# Remove GCC specs and build environment linker scripts
@@ -336,6 +338,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
336338
%{_libdir}/python%{majmin}/test/*
337339

338340
%changelog
341+
* Fri Mar 07 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 3.9.19-12
342+
- Add patch for CVE-2025-1795
343+
339344
* Wed Feb 26 2025 Nadiia Dubchak <ndubchak@microsoft.com> - 3.9.19-11
340345
- Patch CVE-2024-9287
341346

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-19.cm2.noarch.rpm
237237
ca-certificates-2.0.0-19.cm2.noarch.rpm
238238
dwz-0.14-2.cm2.aarch64.rpm
239239
unzip-6.0-21.cm2.aarch64.rpm
240-
python3-3.9.19-11.cm2.aarch64.rpm
241-
python3-devel-3.9.19-11.cm2.aarch64.rpm
242-
python3-libs-3.9.19-11.cm2.aarch64.rpm
243-
python3-setuptools-3.9.19-11.cm2.noarch.rpm
240+
python3-3.9.19-12.cm2.aarch64.rpm
241+
python3-devel-3.9.19-12.cm2.aarch64.rpm
242+
python3-libs-3.9.19-12.cm2.aarch64.rpm
243+
python3-setuptools-3.9.19-12.cm2.noarch.rpm
244244
python3-pygments-2.4.2-7.cm2.noarch.rpm
245245
which-2.21-8.cm2.aarch64.rpm
246246
libselinux-3.2-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-19.cm2.noarch.rpm
237237
ca-certificates-2.0.0-19.cm2.noarch.rpm
238238
dwz-0.14-2.cm2.x86_64.rpm
239239
unzip-6.0-21.cm2.x86_64.rpm
240-
python3-3.9.19-11.cm2.x86_64.rpm
241-
python3-devel-3.9.19-11.cm2.x86_64.rpm
242-
python3-libs-3.9.19-11.cm2.x86_64.rpm
243-
python3-setuptools-3.9.19-11.cm2.noarch.rpm
240+
python3-3.9.19-12.cm2.x86_64.rpm
241+
python3-devel-3.9.19-12.cm2.x86_64.rpm
242+
python3-libs-3.9.19-12.cm2.x86_64.rpm
243+
python3-setuptools-3.9.19-12.cm2.noarch.rpm
244244
python3-pygments-2.4.2-7.cm2.noarch.rpm
245245
which-2.21-8.cm2.x86_64.rpm
246246
libselinux-3.2-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm
510510
procps-ng-lang-3.3.17-2.cm2.aarch64.rpm
511511
pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
512512
python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
513-
python3-3.9.19-11.cm2.aarch64.rpm
513+
python3-3.9.19-12.cm2.aarch64.rpm
514514
python3-audit-3.0.6-8.cm2.aarch64.rpm
515515
python3-cracklib-2.9.7-5.cm2.aarch64.rpm
516-
python3-curses-3.9.19-11.cm2.aarch64.rpm
516+
python3-curses-3.9.19-12.cm2.aarch64.rpm
517517
python3-Cython-0.29.33-2.cm2.aarch64.rpm
518-
python3-debuginfo-3.9.19-11.cm2.aarch64.rpm
519-
python3-devel-3.9.19-11.cm2.aarch64.rpm
518+
python3-debuginfo-3.9.19-12.cm2.aarch64.rpm
519+
python3-devel-3.9.19-12.cm2.aarch64.rpm
520520
python3-gpg-1.16.0-2.cm2.aarch64.rpm
521521
python3-jinja2-3.0.3-7.cm2.noarch.rpm
522522
python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
523-
python3-libs-3.9.19-11.cm2.aarch64.rpm
523+
python3-libs-3.9.19-12.cm2.aarch64.rpm
524524
python3-libxml2-2.10.4-6.cm2.aarch64.rpm
525525
python3-lxml-4.9.1-1.cm2.aarch64.rpm
526526
python3-magic-5.40-3.cm2.noarch.rpm
527527
python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
528528
python3-newt-0.52.21-5.cm2.aarch64.rpm
529-
python3-pip-3.9.19-11.cm2.noarch.rpm
529+
python3-pip-3.9.19-12.cm2.noarch.rpm
530530
python3-pygments-2.4.2-7.cm2.noarch.rpm
531531
python3-rpm-4.18.0-4.cm2.aarch64.rpm
532-
python3-setuptools-3.9.19-11.cm2.noarch.rpm
533-
python3-test-3.9.19-11.cm2.aarch64.rpm
534-
python3-tools-3.9.19-11.cm2.aarch64.rpm
532+
python3-setuptools-3.9.19-12.cm2.noarch.rpm
533+
python3-test-3.9.19-12.cm2.aarch64.rpm
534+
python3-tools-3.9.19-12.cm2.aarch64.rpm
535535
readline-8.1-1.cm2.aarch64.rpm
536536
readline-debuginfo-8.1-1.cm2.aarch64.rpm
537537
readline-devel-8.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm
516516
procps-ng-lang-3.3.17-2.cm2.x86_64.rpm
517517
pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
518518
python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
519-
python3-3.9.19-11.cm2.x86_64.rpm
519+
python3-3.9.19-12.cm2.x86_64.rpm
520520
python3-audit-3.0.6-8.cm2.x86_64.rpm
521521
python3-cracklib-2.9.7-5.cm2.x86_64.rpm
522-
python3-curses-3.9.19-11.cm2.x86_64.rpm
522+
python3-curses-3.9.19-12.cm2.x86_64.rpm
523523
python3-Cython-0.29.33-2.cm2.x86_64.rpm
524-
python3-debuginfo-3.9.19-11.cm2.x86_64.rpm
525-
python3-devel-3.9.19-11.cm2.x86_64.rpm
524+
python3-debuginfo-3.9.19-12.cm2.x86_64.rpm
525+
python3-devel-3.9.19-12.cm2.x86_64.rpm
526526
python3-gpg-1.16.0-2.cm2.x86_64.rpm
527527
python3-jinja2-3.0.3-7.cm2.noarch.rpm
528528
python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
529-
python3-libs-3.9.19-11.cm2.x86_64.rpm
529+
python3-libs-3.9.19-12.cm2.x86_64.rpm
530530
python3-libxml2-2.10.4-6.cm2.x86_64.rpm
531531
python3-lxml-4.9.1-1.cm2.x86_64.rpm
532532
python3-magic-5.40-3.cm2.noarch.rpm
533533
python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
534534
python3-newt-0.52.21-5.cm2.x86_64.rpm
535-
python3-pip-3.9.19-11.cm2.noarch.rpm
535+
python3-pip-3.9.19-12.cm2.noarch.rpm
536536
python3-pygments-2.4.2-7.cm2.noarch.rpm
537537
python3-rpm-4.18.0-4.cm2.x86_64.rpm
538-
python3-setuptools-3.9.19-11.cm2.noarch.rpm
539-
python3-test-3.9.19-11.cm2.x86_64.rpm
540-
python3-tools-3.9.19-11.cm2.x86_64.rpm
538+
python3-setuptools-3.9.19-12.cm2.noarch.rpm
539+
python3-test-3.9.19-12.cm2.x86_64.rpm
540+
python3-tools-3.9.19-12.cm2.x86_64.rpm
541541
readline-8.1-1.cm2.x86_64.rpm
542542
readline-debuginfo-8.1-1.cm2.x86_64.rpm
543543
readline-devel-8.1-1.cm2.x86_64.rpm

0 commit comments

Comments
 (0)