Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 937124 (CVE-2024-6923) - <dev-lang/python-{3.8.19_p3,3.9.19_p4,3.10.14_p2,3.11.9_p1,3.12.4_p3,3.13.0_rc1_p1}, <dev-python/pypy3_{9,10}-7.3.16_p1: Email header injection due to unquoted newlines
Summary: <dev-lang/python-{3.8.19_p3,3.9.19_p4,3.10.14_p2,3.11.9_p1,3.12.4_p3,3.13.0_r...
Status: CONFIRMED
Alias: CVE-2024-6923
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://mail.python.org/archives/list...
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 939207 939208 939209 939279 939283 939863
Blocks:
  Show dependency tree
 
Reported: 2024-08-02 13:23 UTC by Christopher Fore
Modified: 2024-10-05 09:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-08-02 13:23:20 UTC 
CVE-2024-6923:

The email module didn’t properly quote newlines for email headers when
serializing an email message allowing for header injection when an email is
serialized.


3.13 PR: https://github.com/python/cpython/pull/122233


Backports:
3.12 PR: https://github.com/python/cpython/pull/122599
3.11 PR: https://github.com/python/cpython/pull/122608
3.10 PR: https://github.com/python/cpython/pull/122609
3.9 PR: https://github.com/python/cpython/pull/122610
3.8 PR: https://github.com/python/cpython/pull/122611
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-08-02 15:29:43 UTC 
> 3.13 PR: https://github.com/python/cpython/pull/122233

That's 3.14, actually.

3.13 PR: https://github.com/python/cpython/pull/122484
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-10-05 08:28:55 UTC 
cleanup done