CVE-2019-16056

Published: 06 September 2019

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.7.17~rc1-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.7.17~rc1-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.7.17~rc1-1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.7.15-4ubuntu4~18.04.2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.7.12-1ubuntu0~16.04.9)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.7.6-8ubuntu0.6+esm3)
Patches:
Upstream: https://github.com/python/cpython/commit/4cbcd2f8c4e12b912e4d21fd892eedf7a3813d8e
python3.4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.4.3-1ubuntu1~14.04.7+esm4)
python3.5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.2-2ubuntu0~16.04.9)
Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Patches:
Upstream: https://github.com/python/cpython/commit/063eba280a11d3c9a5dd9ee5abe4de640907951b
python3.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.6.8-1~18.04.3)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9
python3.7
Launchpad, Ubuntu, Debian
Upstream
Released (3.7.4-4)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8

Notes

AuthorNote
seth-arnold
This has a very high risk of regression. Email addresses should
not be validated beyond making sure there's at least one byte on both
sides of an '@' sign. Legal email addresses are significantly more
complicated than what is easy to express in regex.
Whatever validation this module provides is in my opinion suspect.

References

Bugs