Bug 2217338 (CVE-2023-36632) - CVE-2023-36632 python: RecursionError: maximum recursion depth exceeded while calling a Python object
Summary: CVE-2023-36632 python: RecursionError: maximum recursion depth exceeded while...
Keywords:
Status: NEW
Alias: CVE-2023-36632
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2217375 2217376 2217377 2217378 2217379 2217380 2217381 2217382 2217383 2217384 2217385 2217386 2217387 2219212 2219213 2219214 2219215 2219216 2219217 2219218 2219219 2219220 2219221
Blocks: 2217388
TreeView+ depends on / blocked
 
Reported: 2023-06-26 05:54 UTC by Avinash Hanwate
Modified: 2024-01-01 01:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Python. This issue occurs in the legacy email.utils.parseaddr function in Python that allows attackers to trigger a "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2023-06-26 05:54:14 UTC 
The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class.

https://docs.python.org/3/library/email.utils.html
https://docs.python.org/3/library/email.html
https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py
Comment 2 Sandipan Roy 2023-07-03 03:08:33 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2219213]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2219214]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2219215]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2219216]


Created python3.12 tracking bugs for this issue:

Affects: fedora-all [bug 2219217]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2219218]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2219219]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2219220]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2219221]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2219212]
Comment 3 Petr Viktorin (pviktori) 2023-07-03 06:42:10 UTC 
What makes this a security issue?
The function can raise AttributeError, LookupError, OSError, TypeError, UnicodeEncodeError, ValueError, or really any type of error. RecursionError is unexpected, but why is it treated as a *security* issue.
Comment 5 Avinash Hanwate 2023-07-17 07:58:03 UTC 
(In reply to Petr Viktorin from comment #3)
> What makes this a security issue?
> The function can raise AttributeError, LookupError, OSError, TypeError,
> UnicodeEncodeError, ValueError, or really any type of error. RecursionError
> is unexpected, but why is it treated as a *security* issue.

@sandipan can you please check this?
Note You need to log in before you can comment on or make changes to this bug.