Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:pydantic User: [email protected] Usertags: pu bsp-2026-05-07-brazil
[ Reason ] Fix ReDoS vulnerability in email validation: CVE-2024-3772. [1] [ Impact ] A crafted email string can trigger exponential backtracking in the validation regex, leading to excessive CPU usage and potential denial of service. [ Tests ] The upstream project added tests to validate the fix. The proof of concept [2] provided for CVE-2024-3772 was reproduced on the vulnerable version and is no longer effective after applying the patch. Debusine: https://debusine.debian.net/debian/developers/work-request/728372/ [ Risks ] Low to moderate risk. The change is limited to regex adjustment/backport from upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Backported upstream patch fixing ReDoS in email validation logic. [ Other info ] @cjwatson has reviewed this backport and will probably sponsor it. [1] https://security-tracker.debian.org/tracker/CVE-2024-3772 [2] https://github.com/pydantic/pydantic/pull/7360
diff -Nru pydantic-1.10.4/debian/changelog pydantic-1.10.4/debian/changelog --- pydantic-1.10.4/debian/changelog 2023-01-22 10:40:15.000000000 +0000 +++ pydantic-1.10.4/debian/changelog 2026-05-24 14:34:51.000000000 +0000 @@ -1,3 +1,12 @@ +pydantic (1.10.4-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * d/patches: + - CVE-2024-3772: Import upstream patch + (Fix ReDoS vulnerability in email validation) + + -- Matheus Polkorny <[email protected]> Sun, 24 May 2026 11:34:51 -0300 + pydantic (1.10.4-1) unstable; urgency=medium * Team upload. diff -Nru pydantic-1.10.4/debian/patches/CVE-2024-3772.patch pydantic-1.10.4/debian/patches/CVE-2024-3772.patch --- pydantic-1.10.4/debian/patches/CVE-2024-3772.patch 1970-01-01 00:00:00.000000000 +0000 +++ pydantic-1.10.4/debian/patches/CVE-2024-3772.patch 2026-05-24 14:34:51.000000000 +0000 @@ -0,0 +1,55 @@ +From: Hasan Ramezani <[email protected]> +Date: Wed, 27 Sep 2023 18:11:42 +0200 +Subject: [Backport] Add max length check to `validate_email` (#7673) + +--- + changes/7673-hramezani.md | 1 + + pydantic/networks.py | 7 +++++++ + tests/test_networks.py | 1 + + 3 files changed, 9 insertions(+) + create mode 100644 changes/7673-hramezani.md + +diff --git a/changes/7673-hramezani.md b/changes/7673-hramezani.md +new file mode 100644 +index 0000000..dbb9829 +--- /dev/null ++++ b/changes/7673-hramezani.md +@@ -0,0 +1 @@ ++Fix: Add max length check to `pydantic.validate_email` +diff --git a/pydantic/networks.py b/pydantic/networks.py +index e1eef7b..6c45f0a 100644 +--- a/pydantic/networks.py ++++ b/pydantic/networks.py +@@ -702,6 +702,10 @@ class IPvAnyNetwork(_BaseNetwork): # type: ignore + + + pretty_email_regex = re.compile(r'([\w ]*?) *<(.*)> *') ++MAX_EMAIL_LENGTH = 2048 ++"""Maximum length for an email. ++A somewhat arbitrary but very generous number compared to what is allowed by most implementations. ++""" + + + def validate_email(value: Union[str]) -> Tuple[str, str]: +@@ -718,6 +722,9 @@ def validate_email(value: Union[str]) -> Tuple[str, str]: + if email_validator is None: + import_email_validator() + ++ if len(value) > MAX_EMAIL_LENGTH: ++ raise errors.EmailError() ++ + m = pretty_email_regex.fullmatch(value) + name: Optional[str] = None + if m: +diff --git a/tests/test_networks.py b/tests/test_networks.py +index eb717f9..c31448b 100644 +--- a/tests/test_networks.py ++++ b/tests/test_networks.py +@@ -789,6 +789,7 @@ def test_address_valid(value, name, email): + '\"@example.com', + ',@example.com', + 'foobar <foobar<@example.com>', ++ 'foobar <' + 'a' * 4096 + '@example.com>', + ], + ) + def test_address_invalid(value): diff -Nru pydantic-1.10.4/debian/patches/series pydantic-1.10.4/debian/patches/series --- pydantic-1.10.4/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ pydantic-1.10.4/debian/patches/series 2026-05-24 14:34:51.000000000 +0000 @@ -0,0 +1 @@ +CVE-2024-3772.patch
