Version in base suite: 1.10.4-1 Base version: pydantic_1.10.4-1 Target version: pydantic_1.10.4-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pydantic/pydantic_1.10.4-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pydantic/pydantic_1.10.4-1+deb12u1.dsc changelog | 9 +++++++ patches/CVE-2024-3772.patch | 56 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 66 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmprjlv8bz9/pydantic_1.10.4-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmprjlv8bz9/pydantic_1.10.4-1+deb12u1.dsc: no acceptable signature found diff -Nru pydantic-1.10.4/debian/changelog pydantic-1.10.4/debian/changelog --- pydantic-1.10.4/debian/changelog 2023-01-22 10:40:15.000000000 +0000 +++ pydantic-1.10.4/debian/changelog 2026-05-24 14:34:51.000000000 +0000 @@ -1,3 +1,12 @@ +pydantic (1.10.4-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * d/patches: + - CVE-2024-3772: Import upstream patch + (Fix ReDoS vulnerability in email validation) + + -- Matheus Polkorny Sun, 24 May 2026 11:34:51 -0300 + pydantic (1.10.4-1) unstable; urgency=medium * Team upload. diff -Nru pydantic-1.10.4/debian/patches/CVE-2024-3772.patch pydantic-1.10.4/debian/patches/CVE-2024-3772.patch --- pydantic-1.10.4/debian/patches/CVE-2024-3772.patch 1970-01-01 00:00:00.000000000 +0000 +++ pydantic-1.10.4/debian/patches/CVE-2024-3772.patch 2026-05-24 14:34:51.000000000 +0000 @@ -0,0 +1,56 @@ +From: Hasan Ramezani +Date: Wed, 27 Sep 2023 18:11:42 +0200 +Subject: [Backport] Add max length check to `validate_email` (#7673) + +Origin: upstream, https://github.com/pydantic/pydantic/commit/59d8f38fd6220e3917c53785dbc70317d6f8e631 +--- + changes/7673-hramezani.md | 1 + + pydantic/networks.py | 7 +++++++ + tests/test_networks.py | 1 + + 3 files changed, 9 insertions(+) + create mode 100644 changes/7673-hramezani.md + +diff --git a/changes/7673-hramezani.md b/changes/7673-hramezani.md +new file mode 100644 +index 0000000..dbb9829 +--- /dev/null ++++ b/changes/7673-hramezani.md +@@ -0,0 +1 @@ ++Fix: Add max length check to `pydantic.validate_email` +diff --git a/pydantic/networks.py b/pydantic/networks.py +index e1eef7b..6c45f0a 100644 +--- a/pydantic/networks.py ++++ b/pydantic/networks.py +@@ -702,6 +702,10 @@ class IPvAnyNetwork(_BaseNetwork): # type: ignore + + + pretty_email_regex = re.compile(r'([\w ]*?) *<(.*)> *') ++MAX_EMAIL_LENGTH = 2048 ++"""Maximum length for an email. ++A somewhat arbitrary but very generous number compared to what is allowed by most implementations. ++""" + + + def validate_email(value: Union[str]) -> Tuple[str, str]: +@@ -718,6 +722,9 @@ def validate_email(value: Union[str]) -> Tuple[str, str]: + if email_validator is None: + import_email_validator() + ++ if len(value) > MAX_EMAIL_LENGTH: ++ raise errors.EmailError() ++ + m = pretty_email_regex.fullmatch(value) + name: Optional[str] = None + if m: +diff --git a/tests/test_networks.py b/tests/test_networks.py +index eb717f9..c31448b 100644 +--- a/tests/test_networks.py ++++ b/tests/test_networks.py +@@ -789,6 +789,7 @@ def test_address_valid(value, name, email): + '\"@example.com', + ',@example.com', + 'foobar ', ++ 'foobar <' + 'a' * 4096 + '@example.com>', + ], + ) + def test_address_invalid(value): diff -Nru pydantic-1.10.4/debian/patches/series pydantic-1.10.4/debian/patches/series --- pydantic-1.10.4/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ pydantic-1.10.4/debian/patches/series 2026-05-24 14:34:51.000000000 +0000 @@ -0,0 +1 @@ +CVE-2024-3772.patch