Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2196183 (CVE-2023-27043) - CVE-2023-27043 python: Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple
Summary: CVE-2023-27043 python: Parsing errors in email/_parseaddr.py lead to incorrec...
Keywords:
Status: NEW
Alias: CVE-2023-27043
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2196184 2196185 2196186 2196187 2196188 2196190 2196191 2196192 2196193 2196194 2196200 2196201 2196202 2196203 2196204 2196205 2196206 2196207 2196208 2196209 2196210 2196211 2196212
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-08 09:20 UTC by Sandipan Roy
Modified: 2024-05-01 01:06 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2632 0 None None None 2024-05-01 01:06:22 UTC
Red Hat Product Errata RHSA-2024:0256 0 None None None 2024-01-15 16:03:57 UTC
Red Hat Product Errata RHSA-2024:0430 0 None None None 2024-01-24 16:49:38 UTC
Red Hat Product Errata RHSA-2024:0454 0 None None None 2024-01-24 16:40:18 UTC
Red Hat Product Errata RHSA-2024:0466 0 None None None 2024-01-24 16:31:02 UTC
Red Hat Product Errata RHSA-2024:0586 0 None None None 2024-01-30 13:25:14 UTC
Red Hat Product Errata RHSA-2024:2292 0 None None None 2024-04-30 10:02:02 UTC

Description Sandipan Roy 2023-05-08 09:20:38 UTC
The e-mail module of Python 0 - 2.7.18, 3.x - 3.11 incorrectly parses e-mail addresses which contain a special character. This vulnerability allows attackers to send messages from e-ail addresses that would otherwise be rejected.

https://github.com/python/cpython/issues/102988
http://python.org

Comment 1 Sandipan Roy 2023-05-08 09:24:15 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2196185]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2196186]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2196187]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2196188]


Created python3.12 tracking bugs for this issue:

Affects: fedora-all [bug 2196190]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2196191]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2196192]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2196193]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2196194]


Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 2196184]

Comment 2 Sandipan Roy 2023-05-08 09:24:58 UTC
https://github.com/advisories/GHSA-5mwm-wccq-xqcp

Comment 9 Lumír Balhar 2023-09-20 14:13:19 UTC
We have investigated the problem in the original patch that was reverted and proposed a solution. There is a new PR addressing this but it's progressing slowly. We are closely monitoring it. https://github.com/python/cpython/pull/108250

The previously merged and then reverted patch demonstrates that we should be very careful with fixes like this.

Comment 10 Fedora Update System 2023-12-26 01:45:45 UTC
FEDORA-2023-87771f4249 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Fedora Update System 2023-12-28 00:53:24 UTC
FEDORA-2023-c0bf8c0c4e has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 errata-xmlrpc 2024-01-15 16:03:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0256 https://access.redhat.com/errata/RHSA-2024:0256

Comment 13 errata-xmlrpc 2024-01-24 16:31:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0466 https://access.redhat.com/errata/RHSA-2024:0466

Comment 14 errata-xmlrpc 2024-01-24 16:40:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0454 https://access.redhat.com/errata/RHSA-2024:0454

Comment 15 errata-xmlrpc 2024-01-24 16:49:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0430 https://access.redhat.com/errata/RHSA-2024:0430

Comment 16 errata-xmlrpc 2024-01-30 13:25:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0586 https://access.redhat.com/errata/RHSA-2024:0586

Comment 19 errata-xmlrpc 2024-04-30 10:02:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2292 https://access.redhat.com/errata/RHSA-2024:2292


Note You need to log in before you can comment on or make changes to this bug.