Overview

File CVE-2025-15367-poplib-ctrl-chars.patch of Package python.42782

From b6f733b285b1c4f27dacb5c2e1f292c914e8b933 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 16 Jan 2026 10:54:09 -0600
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters

---
 Lib/poplib.py                                                            |    2 ++
 Lib/test/test_poplib.py                                                  |   10 +++++++++-
 Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst |    1 +
 3 files changed, 12 insertions(+), 1 deletion(-)

Index: Python-2.7.18/Lib/poplib.py
===================================================================
--- Python-2.7.18.orig/Lib/poplib.py	2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/poplib.py	2026-02-13 22:26:39.303766912 +0100
@@ -101,6 +101,8 @@
 
     def _putcmd(self, line):
         if self._debugging: print '*cmd*', repr(line)
+        if re.search(b'[\x00-\x1F\x7F]', line):
+            raise ValueError('Control characters not allowed in commands')
         self._putline(line)
 
 
Index: Python-2.7.18/Lib/test/test_poplib.py
===================================================================
--- Python-2.7.18.orig/Lib/test/test_poplib.py	2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/test/test_poplib.py	2026-02-13 22:31:08.578482523 +0100
@@ -13,7 +13,7 @@
 
 from unittest import TestCase, skipUnless
 from test import test_support
-from test.test_support import HOST
+from test.test_support import HOST, control_characters_c0
 threading = test_support.import_module('threading')
 
 
@@ -233,6 +233,14 @@
         self.client.uidl()
         self.client.uidl('foo')
 
+    def test_control_characters(self):
+        for c0 in control_characters_c0():
+            with self.assertRaises(ValueError):
+                self.client.user('user{}'.format(c0))
+            with self.assertRaises(ValueError):
+                self.client.pass_('{}pass'.format(c0))
+
+
 
 SUPPORTS_SSL = False
 if hasattr(poplib, 'POP3_SSL'):
Index: Python-2.7.18/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-2.7.18/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst	2026-02-13 22:25:59.722953573 +0100
@@ -0,0 +1 @@
+Reject control characters in POP3 commands.
openSUSE Build Service is sponsored by
Places