Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <f787c960-d069-43c5-b106-fb72bda132cd@oracle.com>
Date: Thu, 1 Aug 2024 14:28:38 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CPython CVE-2024-6923: Email header injection due to unquoted
 newlines

----- Begin Forwarded Message -----
Subject: 	[Security-announce][CVE-2024-6923] Email header injection due to unquoted newlines
Date: 	Thu, 1 Aug 2024 08:38:53 -0500
From: 	Seth Larson <seth@...hon.org>
Reply-To: 	security-sig@...hon.org
To: 	security-announce@...hon.org

There is a MEDIUM severity vulnerability affecting CPython.

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

Please see the linked CVE for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2024-6923
* https://github.com/python/cpython/pull/122233
* https://github.com/python/cpython/issues/121650

------ End Forwarded Message ------

The original bug report stated:

> If a parsed email header contains a correctly quoted newline, setting an
> email header to that value will include a newline.
> 
> from email import message_from_string
> from email.policy import default
> 
> email_in = """\
> To: incoming+tag@...example.com
> From: External Sender <sender@...m.example.com>
> Subject: Here's an =?UTF-8?Q?embedded_newline=0A?=
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> MIME-Version: 1.0
> 
> <html>
> <head><title>An embeded newline</title></head>
> <body>
>   <p>I sent you an embedded newline in the subject. How do you like that?!</p>
> </body>
> </html>
> """
> 
> msg = message_from_string(email_in, policy=default)
> msg = message_from_string(email_in, policy=default)
> for header, value in msg.items():
>     del msg[header]
>     msg[header] = value
> email_out = str(msg)
> print(email_out)
> 
> Output is:
> 
> To: incoming+tag@...example.com
> From: External Sender <sender@...m.example.com>
> Subject: Here's an embedded newline
> 
> Content-Type: text/html; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
> MIME-Version: 1.0
> 
> <html>
> <head><title>An embeded newline</title></head>
> <body>
>   <p>I sent you an embedded newline in the subject. How do you like that?!</p>
> </body>
> </html>
> 
> An email parser will interpret the newline as the start of the message.
> In this case, the Content-Type and other MIME headers will not be
> processed, and the email treated as plain text. In other cases,
> required headers like To may not be processed and the email will not
> be delivered.

A later update noted:

> On further investigation, a plain string with a trailing newline has this issue:
> 
> email["Subject"] = "string with newlines\n"
> 
> So the "re-use parsed header" is not part of the issue. 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.