python3: email.utils.parseaddr mistakenly parse an email (CVE-2019-16056)

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied.

https://bugs.python.org/issue34155
https://nvd.nist.gov/vuln/detail/CVE-2019-16056

Patches:

https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8
https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9

Affected branches:

Edited Oct 16, 2019 by Natanael Copa

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information