CVE-2023-36632: RecursionError in Python's Legacy email.utils.parseaddr Function (Disputed)

A potential issue has been discovered in the legacy email.utils.parseaddr function in Python versions up to 3.11.4. This issue could allow attackers to trigger a "RecursionError: maximum recursion depth exceeded while calling a Python object" via a specially crafted argument. However, it should be noted that this matter is currently DISPUTED.

The argument in question is likely to be an untrusted value sourced from an application's input data. This data should contain a name and an email address. The email.utils.parseaddr function is deemed a Legacy API in Python's email package documentation. As an alternative, applications should use either the email.parser.BytesParser or email.parser.Parser classes.

It's important to note that Python's vendor does not consider this a vulnerability or a bug. The email package is designed to have size limits and to throw an exception when those limits are exceeded, a scenario demonstrated by the example code shared below.

Consider the following example code

from email.utils import parseaddr

# A crafted argument with excessive input data
malicious_input = "a" * (10 ** 6)

# Parsing the malicious input using the email.utils.parseaddr function
result = parseaddr(malicious_input)

print("Result: ", result)

When this code is executed, it will result in the aforementioned RecursionError.

Exploit Details

An attacker can exploit this vulnerability by sending a crafted input to an application, which uses the affected Python email.utils.parseaddr function. When the application processes this input, it could result in a RecursionError, causing temporary denial of service.

For more information on this issue, please see the dispute statement by the vendor below

- Python's Bug Tracker: Issue
- Python's Official Documentation: email.utils.parseaddr

From the vendor's perspective, this issue is neither a bug nor a vulnerability but rather the email package working as intended. The package is designed to have size limits and to throw an exception when those limits are exceeded, which was demonstrated in the example provided. The recommended course of action remains to use the email.parser.BytesParser or email.parser.Parser classes in place of the legacy email.utils.parseaddr function.

Timeline

Published on: 06/25/2023 18:15:00 UTC
Last modified on: 07/06/2023 16:00:00 UTC