Bug 1210638 (CVE-2023-27043) - VUL-0: CVE-2023-27043: python39,python310,python27,python,python36,python3,python311: The e-mail module of Python 0 - 2.7.18, 3.x - 3.11 incorrectly parses e-mail addresses which contain a special character
Summary: VUL-0: CVE-2023-27043: python39,python310,python27,python,python36,python3,py...
Status: RESOLVED FIXED
Alias: CVE-2023-27043
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/363947/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-27043:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-19 09:03 UTC by Cathy Hu
Modified: 2024-06-13 15:45 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-04-19 09:03:46 UTC
CVE-2023-27043

The e-mail module of Python 0 - 2.7.18, 3.x - 3.11 incorrectly parses e-mail
addresses which contain a special character. This vulnerability allows attackers
to send messages from e-ail addresses that would otherwise be rejected.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-27043
https://www.cve.org/CVERecord?id=CVE-2023-27043
http://python.com
https://github.com/python/cpython/issues/102988
Comment 1 Cathy Hu 2023-04-19 09:08:38 UTC
all python versions affected


upstream is still discussing: https://github.com/python/cpython/issues/102988

There is already a PR by the reporter, but not merged yet: https://github.com/python/cpython/pull/102990/files
Comment 3 khanh vu 2023-05-31 06:26:37 UTC
Hi,

Is there any updated information on this ticket? I noticed that the fix has been merged in upstream.

BRs/KhanhVu
Comment 4 khanh vu 2023-05-31 06:35:12 UTC
Please ignore my previous comment.
It looks like the ticket is still open in the upstream.

BRs/KhanhVu
Comment 5 Marcus Meissner 2023-06-06 14:16:17 UTC
we have rerated the CVSS score of this CVE and the NVD score is a better match, we adjusted our score to be the same as the NVD score.
Comment 6 Marcus Meissner 2023-06-06 14:17:40 UTC
https://github.com/python/cpython/pull/105127 seems the new pull request, still open and in ongoing review.
Comment 7 Matej Cepl 2023-07-12 18:23:24 UTC
Unfortunately fix in that PR (which has been already merged) causes a massive regression gh#python/cpython#106669, so it much be held back.
Comment 8 OBSbugzilla Bot 2023-07-12 18:55:03 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1098404 Factory / python311
Comment 9 OBSbugzilla Bot 2023-07-14 14:25:02 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1098684 Factory / python312
Comment 10 OBSbugzilla Bot 2023-07-19 12:55:03 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1099501 Factory / python310
Comment 12 OBSbugzilla Bot 2023-08-03 20:35:04 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1102235 Factory / python38
https://build.opensuse.org/request/show/1102236 Factory / python39
https://build.opensuse.org/request/show/1102237 Factory / python311
https://build.opensuse.org/request/show/1102238 Factory / python312
Comment 13 OBSbugzilla Bot 2023-08-12 18:15:02 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1103620 Factory / python
Comment 16 Sascha Weber 2023-08-14 14:31:12 UTC
Hi Gianluca,

@Matej is currently on vacation and will only return in 2 weeks, I have asked @Daniel Garcia to review this - he will try to get back to you before end of this week.
Comment 20 Matej Cepl 2023-08-28 06:48:33 UTC
Actually, there is now some life on https://github.com/python/cpython/issues/102988 again, so let's wait a little bit more.
Comment 26 OBSbugzilla Bot 2023-09-16 23:05:03 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1111680 Factory / python
Comment 33 Maintenance Automation 2023-10-26 16:30:08 UTC
SUSE-SU-2023:4220-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1210638, 1214685, 1214691
CVE References: CVE-2022-48565, CVE-2022-48566, CVE-2023-27043
Sources used:
openSUSE Leap 15.4 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1, python-doc-2.7.18-150000.57.1
openSUSE Leap 15.5 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1, python-doc-2.7.18-150000.57.1
SUSE Package Hub 15 15-SP4 (src): python-base-2.7.18-150000.57.1
SUSE Package Hub 15 15-SP5 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1
SUSE Manager Proxy 4.2 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1
SUSE Manager Retail Branch Server 4.2 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1
SUSE Manager Server 4.2 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Matej Cepl 2023-11-27 12:35:42 UTC
This bug has still not be fixed upstream and the current state of the art thinking there seems to be https://github.com/python/cpython/pull/111116 which is however still just a draft, and according to https://github.com/python/cpython/pull/111116#issuecomment-1785323606 it is somewhat broken.
Comment 36 OBSbugzilla Bot 2023-12-19 07:35:03 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1133947 Factory / python311
Comment 37 OBSbugzilla Bot 2023-12-19 19:35:03 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1134084 Factory / python311
Comment 47 OBSbugzilla Bot 2024-02-02 15:35:02 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1143660 Factory / python38
Comment 48 Maintenance Automation 2024-02-05 16:30:08 UTC
SUSE-SU-2024:0329-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1210638
CVE References: CVE-2023-27043
Sources used:
openSUSE Leap 15.5 (src): python-doc-2.7.18-150000.60.1, python-base-2.7.18-150000.60.1, python-2.7.18-150000.60.1
SUSE Package Hub 15 15-SP5 (src): python-base-2.7.18-150000.60.1, python-2.7.18-150000.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 49 Maintenance Automation 2024-02-08 20:30:01 UTC
SUSE-SU-2024:0437-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1210638
CVE References: CVE-2023-27043
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-doc-2.7.18-33.29.1, python-base-2.7.18-33.29.1, python-2.7.18-33.29.1
SUSE Linux Enterprise Server 12 SP5 (src): python-doc-2.7.18-33.29.1, python-base-2.7.18-33.29.1, python-2.7.18-33.29.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-doc-2.7.18-33.29.1, python-base-2.7.18-33.29.1, python-2.7.18-33.29.1
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): python-base-2.7.18-33.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 50 Maintenance Automation 2024-02-08 20:30:03 UTC
SUSE-SU-2024:0436-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1210638
CVE References: CVE-2023-27043
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python36-core-3.6.15-52.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python36-core-3.6.15-52.1, python36-3.6.15-52.1
SUSE Linux Enterprise Server 12 SP5 (src): python36-core-3.6.15-52.1, python36-3.6.15-52.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python36-core-3.6.15-52.1, python36-3.6.15-52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 51 Maintenance Automation 2024-02-09 08:30:01 UTC
SUSE-SU-2024:0438-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1210638
CVE References: CVE-2023-27043
Sources used:
Web and Scripting Module 12 (src): python3-3.4.10-25.119.1, python3-base-3.4.10-25.119.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python3-3.4.10-25.119.1, python3-base-3.4.10-25.119.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python3-3.4.10-25.119.1, python3-base-3.4.10-25.119.1
SUSE Linux Enterprise Server 12 SP5 (src): python3-3.4.10-25.119.1, python3-base-3.4.10-25.119.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python3-3.4.10-25.119.1, python3-base-3.4.10-25.119.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 52 OBSbugzilla Bot 2024-02-12 14:15:04 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1146186 Factory / python310
Comment 54 OBSbugzilla Bot 2024-02-12 15:35:01 UTC
This is an autogenerated message for OBS integration:
This bug (1210638) was mentioned in
https://build.opensuse.org/request/show/1146201 Factory / python39
https://build.opensuse.org/request/show/1146203 Factory / python312
Comment 55 Matej Cepl 2024-02-12 16:02:07 UTC
Finally, all SRs filed.
Comment 57 Maintenance Automation 2024-02-14 16:36:41 UTC
SUSE-SU-2024:0464-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1210638, 1214691
CVE References: CVE-2022-48566, CVE-2023-27043
Sources used:
SUSE Linux Enterprise Micro 5.1 (src): python3-core-3.6.15-150000.3.138.1, python3-3.6.15-150000.3.138.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 58 Maintenance Automation 2024-02-21 16:30:01 UTC
SUSE-SU-2024:0581-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1210638
CVE References: CVE-2023-27043
Sources used:
Basesystem Module 15-SP5 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
Development Tools Module 15-SP5 (src): python3-core-3.6.15-150300.10.54.1
SUSE Linux Enterprise Micro 5.2 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
openSUSE Leap 15.3 (src): python3-core-3.6.15-150300.10.54.1, python3-documentation-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
openSUSE Leap Micro 5.3 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
openSUSE Leap Micro 5.4 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
openSUSE Leap 15.5 (src): python3-core-3.6.15-150300.10.54.1, python3-documentation-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
SUSE Linux Enterprise Micro 5.3 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
SUSE Linux Enterprise Micro 5.4 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1
SUSE Linux Enterprise Micro 5.5 (src): python3-core-3.6.15-150300.10.54.1, python3-3.6.15-150300.10.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 59 Maintenance Automation 2024-02-22 20:30:12 UTC
SUSE-SU-2024:0595-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1210638
CVE References: CVE-2023-27043
Sources used:
openSUSE Leap 15.4 (src): python310-documentation-3.10.13-150400.4.39.1, python310-3.10.13-150400.4.39.1, python310-core-3.10.13-150400.4.39.1
openSUSE Leap 15.5 (src): python310-documentation-3.10.13-150400.4.39.1, python310-3.10.13-150400.4.39.1, python310-core-3.10.13-150400.4.39.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python310-3.10.13-150400.4.39.1, python310-core-3.10.13-150400.4.39.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python310-3.10.13-150400.4.39.1, python310-core-3.10.13-150400.4.39.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python310-3.10.13-150400.4.39.1, python310-core-3.10.13-150400.4.39.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python310-3.10.13-150400.4.39.1, python310-core-3.10.13-150400.4.39.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python310-3.10.13-150400.4.39.1, python310-core-3.10.13-150400.4.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 61 Maintenance Automation 2024-03-05 20:30:23 UTC
SUSE-SU-2024:0329-2: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1210638
CVE References: CVE-2023-27043
Sources used:
SUSE Package Hub 15 15-SP4 (src): python-2.7.18-150000.60.1, python-base-2.7.18-150000.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 62 Maintenance Automation 2024-03-06 16:30:03 UTC
SUSE-SU-2024:0782-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1196025, 1210638, 1219666
CVE References: CVE-2022-25236, CVE-2023-27043, CVE-2023-6597
Sources used:
openSUSE Leap 15.4 (src): python311-core-3.11.8-150400.9.23.1, python311-3.11.8-150400.9.23.1, python311-documentation-3.11.8-150400.9.23.1
openSUSE Leap 15.5 (src): python311-core-3.11.8-150400.9.23.1, python311-3.11.8-150400.9.23.1, python311-documentation-3.11.8-150400.9.23.1
Python 3 Module 15-SP5 (src): python311-core-3.11.8-150400.9.23.1, python311-3.11.8-150400.9.23.1, python311-documentation-3.11.8-150400.9.23.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python311-core-3.11.8-150400.9.23.1, python311-3.11.8-150400.9.23.1, python311-documentation-3.11.8-150400.9.23.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python311-core-3.11.8-150400.9.23.1, python311-3.11.8-150400.9.23.1, python311-documentation-3.11.8-150400.9.23.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python311-core-3.11.8-150400.9.23.1, python311-3.11.8-150400.9.23.1, python311-documentation-3.11.8-150400.9.23.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python311-core-3.11.8-150400.9.23.1, python311-3.11.8-150400.9.23.1, python311-documentation-3.11.8-150400.9.23.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python311-core-3.11.8-150400.9.23.1, python311-3.11.8-150400.9.23.1, python311-documentation-3.11.8-150400.9.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 63 Maintenance Automation 2024-03-06 20:30:05 UTC
SUSE-SU-2024:0784-1: An update that solves four vulnerabilities, contains two features and has two security fixes can now be installed.

Category: security (important)
Bug References: 1196025, 1210638, 1212015, 1214692, 1215454, 1219666
CVE References: CVE-2022-25236, CVE-2023-27043, CVE-2023-40217, CVE-2023-6597
Jira References: PED-7886, SLE-21253
Sources used:
openSUSE Leap 15.3 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1, python39-documentation-3.9.18-150300.4.38.1
openSUSE Leap 15.5 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1, python39-documentation-3.9.18-150300.4.38.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1
SUSE Enterprise Storage 7.1 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 64 Maintenance Automation 2024-04-30 16:30:02 UTC
SUSE-SU-2024:0782-2: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1196025, 1210638, 1219666
CVE References: CVE-2022-25236, CVE-2023-27043, CVE-2023-6597
Maintenance Incident: [SUSE:Maintenance:32834](https://smelt.suse.de/incident/32834/)
Sources used:
Public Cloud Module 15-SP4 (src):
 python311-3.11.8-150400.9.23.1, python311-core-3.11.8-150400.9.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 67 Robert Frohl 2024-05-06 12:38:41 UTC
done, closing