Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 937124 (CVE-2024-6923)

Summary: <dev-lang/python-{3.8.19_p3,3.9.19_p4,3.10.14_p2,3.11.9_p1,3.12.4_p3,3.13.0_rc1_p1}, <dev-python/pypy3_{9,10}-7.3.16_p1: Email header injection due to unquoted newlines
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/
See Also: https://github.com/python/cpython/issues/121650
Whiteboard: A3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 939207, 939208, 939209, 939279, 939283, 939863    
Bug Blocks:    

Description Christopher Fore 2024-08-02 13:23:20 UTC
CVE-2024-6923:

The email module didn’t properly quote newlines for email headers when
serializing an email message allowing for header injection when an email is
serialized.


3.13 PR: https://github.com/python/cpython/pull/122233


Backports:
3.12 PR: https://github.com/python/cpython/pull/122599
3.11 PR: https://github.com/python/cpython/pull/122608
3.10 PR: https://github.com/python/cpython/pull/122609
3.9 PR: https://github.com/python/cpython/pull/122610
3.8 PR: https://github.com/python/cpython/pull/122611
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-08-02 15:29:43 UTC
> 3.13 PR: https://github.com/python/cpython/pull/122233

That's 3.14, actually.

3.13 PR: https://github.com/python/cpython/pull/122484
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-10-05 08:28:55 UTC
cleanup done