The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. https://docs.python.org/3/library/email.utils.html https://docs.python.org/3/library/email.html https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py
Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 2219213] Created python2.7 tracking bugs for this issue: Affects: fedora-all [bug 2219214] Created python3.10 tracking bugs for this issue: Affects: fedora-all [bug 2219215] Created python3.11 tracking bugs for this issue: Affects: fedora-all [bug 2219216] Created python3.12 tracking bugs for this issue: Affects: fedora-all [bug 2219217] Created python3.6 tracking bugs for this issue: Affects: fedora-all [bug 2219218] Created python3.7 tracking bugs for this issue: Affects: fedora-all [bug 2219219] Created python3.8 tracking bugs for this issue: Affects: fedora-all [bug 2219220] Created python3.9 tracking bugs for this issue: Affects: fedora-all [bug 2219221] Created python34 tracking bugs for this issue: Affects: epel-all [bug 2219212]
What makes this a security issue? The function can raise AttributeError, LookupError, OSError, TypeError, UnicodeEncodeError, ValueError, or really any type of error. RecursionError is unexpected, but why is it treated as a *security* issue.
(In reply to Petr Viktorin from comment #3) > What makes this a security issue? > The function can raise AttributeError, LookupError, OSError, TypeError, > UnicodeEncodeError, ValueError, or really any type of error. RecursionError > is unexpected, but why is it treated as a *security* issue. @sandipan can you please check this?