Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python
To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses is introduced in certain Python versions in RHEL. With these fixes, two methods to retain the old parsing behavior without requiring changes to existing code are provided to users of RHEL.
1. The CVE-2023-27043 vulnerability
The email module of Python 2.7 and Python 3.0 to 3.11 is vulnerable to CVE-2023-27043. The vulnerability arises from the incorrect parsing of email addresses containing special characters. Malicious actors could exploit this flaw to send messages from email addresses or to email addresses that would otherwise be rejected. The severity of the flaw is medium but the real impact might differ depending on the application that uses Python email parsing capabilities.
2. Upstream resolution
To mitigate this issue, the Python development team has implemented a fix in CPython, the main implementation of Python. However, this fix introduces a backward incompatible change to the parsing of email addresses.
With the fix applied, the getaddresses
and parseaddr
functions from the email.utils
module now include a new strict
keyword argument to control the stricter behavior introduced by the fix.
The strict
keyword argument can take the following values:
True
(default) - the parsing is stricter to enhance security.False
- the functions revert to the previous less strict, less secure behavior.
3. Red Hat Enterprise Linux resolution
The mitigation in RHEL is based on the upstream resolution with two additional methods to retain the previous, less secure parsing behavior without requiring changes to existing code: a new environment variable and a configuration file.
3.1 Environment variable
You can set the PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING
environment variable to a non-empty string. This configuration ensures that the previous, less strict parsing behavior is the default for the entire environment.
Example:
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
However, individual calls to the affected functions can still enable the stricter behavior. The environment variable controls only the default setting.
3.2 Configuration file
You can also control the parsing behavior by creating the /etc/python/email.cfg
configuration file with the following content:
[email_addr_parsing]
PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
Using this configuration file ensures that the previous, less strict parsing behavior is the default for the entire system, while individual calls to the affected functions can still enable the stricter behavior.
4. Fixes in RHEL
The following Python versions in RHEL include the described change:
Python version | RHEL version | Advisory |
---|---|---|
Python 3.6 (python3-3.6.8-59.el8) | RHEL 8.10 | RHBA-2024:3192 |
Python 3.9 (python39-3.9.18-3.module+el8.10.0+21142+453d2b75) | RHEL 8.10 | RHSA-2024:2985 |
Python 3.11 (python3.11-3.11.7-1.el8) | RHEL 8.10 | RHSA-2024:3062 |
Python 3.6 (python3-3.6.8-56.el8_9.3) | RHEL 8.9 | RHSA-2024:0256 |
Python 3.6 (python3-3.6.8-51.el8_8.4) | RHEL 8.8 EUS* | RHSA-2024:0586 |
Python 3.6 (python3-3.6.8-47.el8_6.4) | RHEL 8.6 EUS* | RHSA-2024:0430 |
Python 3.9 (python3.9-3.9.18-3.el9) | RHEL 9.4 | RHBA-2024:2473 |
Python 3.9 (python3.9-3.9.18-1.el9_3.1) | RHEL 9.3 | RHSA-2024:0466 |
Python 3.9 (python3.9-3.9.16-1.el9_2.3) | RHEL 9.2 EUS* | RHSA-2024:0454 |
Python 3.11 (python3.11-3.11.7-1.el9) | RHEL 9.4 | RHSA-2024:2292 |
Comments