937124 – (CVE-2024-6923) <dev-lang/python-{3.8.19_p3,3.9.19_p4,3.10.14_p2,3.11.9_p1,3.12.4_p3,3.13.0_rc1_p1}, <dev-python/pypy3_{9,10}-7.3.16_p1: Email header injection due to unquoted newlines

Bug 937124 (CVE-2024-6923) - <dev-lang/python-{3.8.19_p3,3.9.19_p4,3.10.14_p2,3.11.9_p1,3.12.4_p3,3.13.0_rc1_p1}, <dev-python/pypy3_{9,10}-7.3.16_p1: Email header injection due to unquoted newlines

Summary: <dev-lang/python-{3.8.19_p3,3.9.19_p4,3.10.14_p2,3.11.9_p1,3.12.4_p3,3.13.0_r...

Status:	CONFIRMED

Alias:	CVE-2024-6923

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://mail.python.org/archives/list...
Whiteboard:	A3 [stable]
Keywords:

Depends on:	939207 939208 939209 939279 939283
Blocks:
	Show dependency tree

Reported:	2024-08-02 13:23 UTC by Christopher Fore
Modified:	2024-09-07 11:44 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/python/cpython/issues/121650
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2024-08-02 13:23:20 UTC

CVE-2024-6923:

The email module didn’t properly quote newlines for email headers when
serializing an email message allowing for header injection when an email is
serialized.


3.13 PR: https://github.com/python/cpython/pull/122233


Backports:
3.12 PR: https://github.com/python/cpython/pull/122599
3.11 PR: https://github.com/python/cpython/pull/122608
3.10 PR: https://github.com/python/cpython/pull/122609
3.9 PR: https://github.com/python/cpython/pull/122610
3.8 PR: https://github.com/python/cpython/pull/122611

Comment 1 Michał Górny archtester

2024-08-02 15:29:43 UTC

> 3.13 PR: https://github.com/python/cpython/pull/122233

That's 3.14, actually.

3.13 PR: https://github.com/python/cpython/pull/122484