Bug 2217338 (CVE-2023-36632)

Summary: CVE-2023-36632 python: RecursionError: maximum recursion depth exceeded while calling a Python object
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: cstratak, hhorak, jorton, python-maint, saroy, torsava
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[Disputed] A vulnerability was found in Python. This issue occurs in the legacy email.utils.parseaddr function in Python that allows attackers to trigger a "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2217375, 2217376, 2217377, 2217378, 2217379, 2217380, 2217381, 2217382, 2217383, 2217384, 2217385, 2217386, 2217387, 2219212, 2219213, 2219214, 2219215, 2219216, 2219217, 2219218, 2219219, 2219220, 2219221    
Bug Blocks: 2217388    

Description Avinash Hanwate 2023-06-26 05:54:14 UTC 
The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class.

https://docs.python.org/3/library/email.utils.html
https://docs.python.org/3/library/email.html
https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py
Comment 2 Sandipan Roy 2023-07-03 03:08:33 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2219213]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2219214]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2219215]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2219216]


Created python3.12 tracking bugs for this issue:

Affects: fedora-all [bug 2219217]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2219218]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2219219]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2219220]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2219221]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2219212]
Comment 3 Petr Viktorin (pviktori) 2023-07-03 06:42:10 UTC 
What makes this a security issue?
The function can raise AttributeError, LookupError, OSError, TypeError, UnicodeEncodeError, ValueError, or really any type of error. RecursionError is unexpected, but why is it treated as a *security* issue.
Comment 5 Avinash Hanwate 2023-07-17 07:58:03 UTC 
(In reply to Petr Viktorin from comment #3)
> What makes this a security issue?
> The function can raise AttributeError, LookupError, OSError, TypeError,
> UnicodeEncodeError, ValueError, or really any type of error. RecursionError
> is unexpected, but why is it treated as a *security* issue.

@sandipan can you please check this?