Your message dated Sat, 11 Jul 2026 10:42:31 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1137610,
regarding bookworm-pu: package pydantic/1.10.4-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1137610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137610
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:pydantic
User: [email protected]
Usertags: pu bsp-2026-05-07-brazil

[ Reason ]
Fix ReDoS vulnerability in email validation: CVE-2024-3772. [1]

[ Impact ]
A crafted email string can trigger exponential backtracking
in the validation regex, leading to excessive CPU usage
and potential denial of service.

[ Tests ]
The upstream project added tests to validate the fix.
The proof of concept [2] provided for CVE-2024-3772
was reproduced on the vulnerable version and is no
longer effective after applying the patch.
Debusine:
https://debusine.debian.net/debian/developers/work-request/728372/

[ Risks ]
Low to moderate risk. The change is limited to regex
adjustment/backport from upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backported upstream patch fixing ReDoS in email
validation logic.

[ Other info ]
@cjwatson has reviewed this backport and will probably sponsor it.

[1] https://security-tracker.debian.org/tracker/CVE-2024-3772
[2] https://github.com/pydantic/pydantic/pull/7360
diff -Nru pydantic-1.10.4/debian/changelog pydantic-1.10.4/debian/changelog
--- pydantic-1.10.4/debian/changelog    2023-01-22 10:40:15.000000000 +0000
+++ pydantic-1.10.4/debian/changelog    2026-05-24 14:34:51.000000000 +0000
@@ -1,3 +1,12 @@
+pydantic (1.10.4-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * d/patches:
+    - CVE-2024-3772: Import upstream patch
+      (Fix ReDoS vulnerability in email validation)
+
+ -- Matheus Polkorny <[email protected]>  Sun, 24 May 2026 11:34:51 -0300
+
 pydantic (1.10.4-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru pydantic-1.10.4/debian/patches/CVE-2024-3772.patch 
pydantic-1.10.4/debian/patches/CVE-2024-3772.patch
--- pydantic-1.10.4/debian/patches/CVE-2024-3772.patch  1970-01-01 
00:00:00.000000000 +0000
+++ pydantic-1.10.4/debian/patches/CVE-2024-3772.patch  2026-05-24 
14:34:51.000000000 +0000
@@ -0,0 +1,55 @@
+From: Hasan Ramezani <[email protected]>
+Date: Wed, 27 Sep 2023 18:11:42 +0200
+Subject: [Backport] Add max length check to `validate_email` (#7673)
+
+---
+ changes/7673-hramezani.md | 1 +
+ pydantic/networks.py      | 7 +++++++
+ tests/test_networks.py    | 1 +
+ 3 files changed, 9 insertions(+)
+ create mode 100644 changes/7673-hramezani.md
+
+diff --git a/changes/7673-hramezani.md b/changes/7673-hramezani.md
+new file mode 100644
+index 0000000..dbb9829
+--- /dev/null
++++ b/changes/7673-hramezani.md
+@@ -0,0 +1 @@
++Fix: Add max length check to `pydantic.validate_email`
+diff --git a/pydantic/networks.py b/pydantic/networks.py
+index e1eef7b..6c45f0a 100644
+--- a/pydantic/networks.py
++++ b/pydantic/networks.py
+@@ -702,6 +702,10 @@ class IPvAnyNetwork(_BaseNetwork):  # type: ignore
+ 
+ 
+ pretty_email_regex = re.compile(r'([\w ]*?) *<(.*)> *')
++MAX_EMAIL_LENGTH = 2048
++"""Maximum length for an email.
++A somewhat arbitrary but very generous number compared to what is allowed by 
most implementations.
++"""
+ 
+ 
+ def validate_email(value: Union[str]) -> Tuple[str, str]:
+@@ -718,6 +722,9 @@ def validate_email(value: Union[str]) -> Tuple[str, str]:
+     if email_validator is None:
+         import_email_validator()
+
++    if len(value) > MAX_EMAIL_LENGTH:
++        raise errors.EmailError()
++
+     m = pretty_email_regex.fullmatch(value)
+     name: Optional[str] = None
+     if m:
+diff --git a/tests/test_networks.py b/tests/test_networks.py
+index eb717f9..c31448b 100644
+--- a/tests/test_networks.py
++++ b/tests/test_networks.py
+@@ -789,6 +789,7 @@ def test_address_valid(value, name, email):
+         '\"@example.com',
+         ',@example.com',
+         'foobar <foobar<@example.com>',
++        'foobar <' + 'a' * 4096 + '@example.com>',
+     ],
+ )
+ def test_address_invalid(value):
diff -Nru pydantic-1.10.4/debian/patches/series 
pydantic-1.10.4/debian/patches/series
--- pydantic-1.10.4/debian/patches/series       1970-01-01 00:00:00.000000000 
+0000
+++ pydantic-1.10.4/debian/patches/series       2026-05-24 14:34:51.000000000 
+0000
@@ -0,0 +1 @@
+CVE-2024-3772.patch

--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to