Debian Bug report logs -
#960062
libemail-mime-perl: CVE-2024-4140: DoS on excessive or deeply nested parts
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#960062
; Package libemail-mime-perl
.
(Fri, 08 May 2020 22:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Perl Email user <p5p@yhbt.net>
:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Fri, 08 May 2020 22:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libemail-mime-perl
Version: 1.946-1
Severity: important
Tags: upstream
Messages with too many tiny MIME parts can OOM on split().
Messages with many nested MIME parts can also fail on deep
recursion (Email::MIME->new calls ->subparts, ->subparts calls
->new, ad infinitum).
Smallish messages can generate these, since the a boundary
only needs to be 4 bytes "--a\n" and the header+body of
each part can just be 4 bytes "x:y\n\n", too.
Perl takes 42 bytes to represent a 4 byte string on 64-bit:
use Devel::Size; say Devel::Size::total_size("--\n\n")
This affects many other MIME parsers, too.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#960062
; Package libemail-mime-perl
.
(Fri, 08 May 2020 22:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Perl Email user <p5p@yhbt.net>
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Fri, 08 May 2020 22:21:06 GMT) (full text, mbox, link).
Message #10 received at 960062@bugs.debian.org (full text, mbox, reply):
tags 960062 + security
quit
Oops, forgot security tag :x
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 09 May 2020 06:21:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#960062
; Package libemail-mime-perl
.
(Tue, 28 Nov 2023 10:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Miriam Espana Acebal <miriam.espana@canonical.com>
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Tue, 28 Nov 2023 10:45:02 GMT) (full text, mbox, link).
Message #19 received at 960062@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I'm working on this package on Ubuntu, to promote it from universe to main.
I saw this bug, and it could be a blocker for that process. Reading the
changes files,
the following entry seems to be related (per the comments on
upstream's issue [1] too):
1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
- add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that
many
parts; current default: 10
Do you know, as maintainers, if this bug is fixed with that? One of the
reviewers already asked upstream [1] to see if we can get a confirmation
from there.
Any clue is highly appreciated... thanks in advance.
Miriam (mirespace)
[1] *https://github.com/rjbs/Email-MIME/issues/66
<https://github.com/rjbs/Email-MIME/issues/66> *
--
Miriam España Acebal
Software Engineer II - Ubuntu PublicCloud/Server
Canonical Ltd.
[Message part 2 (text/html, inline)]
Reply sent
to gregor herrmann <gregoa@debian.org>
:
You have taken responsibility.
(Wed, 21 Feb 2024 19:57:06 GMT) (full text, mbox, link).
Notification sent
to Perl Email user <p5p@yhbt.net>
:
Bug acknowledged by developer.
(Wed, 21 Feb 2024 19:57:06 GMT) (full text, mbox, link).
Message #24 received at 960062-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.949-1
On Tue, 28 Nov 2023 11:43:27 +0100, Miriam Espana Acebal wrote:
> I'm working on this package on Ubuntu, to promote it from universe to main.
> I saw this bug, and it could be a blocker for that process. Reading the
> changes files,
> the following entry seems to be related (per the comments on
> upstream's issue [1] too):
>
> 1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
> - add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that
> many
> parts; current default: 10
>
> Do you know, as maintainers, if this bug is fixed with that? One of the
> reviewers already asked upstream [1] to see if we can get a confirmation
> from there.
This has been answered in the upstream ticket now:
https://github.com/msimerson/mail-dmarc/issues/216#issuecomment-1945033737
Hence closing the bug (at the first version after 1.947 which was
uploaded to the Debian archive.)
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 21 Mar 2024 07:26:06 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 02 May 2024 07:54:05 GMT) (full text, mbox, link).
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 02 May 2024 07:54:06 GMT) (full text, mbox, link).
No longer marked as fixed in versions 1.949-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 02 May 2024 07:54:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#960062
; Package libemail-mime-perl
.
(Thu, 02 May 2024 07:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Thu, 02 May 2024 07:57:04 GMT) (full text, mbox, link).
Message #37 received at 960062@bugs.debian.org (full text, mbox, reply):
Hi
On Wed, Feb 21, 2024 at 07:57:06PM +0000, Debian Bug Tracking System wrote:
[...]
> Version: 1.949-1
>
> On Tue, 28 Nov 2023 11:43:27 +0100, Miriam Espana Acebal wrote:
>
> > I'm working on this package on Ubuntu, to promote it from universe to main.
> > I saw this bug, and it could be a blocker for that process. Reading the
> > changes files,
> > the following entry seems to be related (per the comments on
> > upstream's issue [1] too):
> >
> > 1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
> > - add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that
> > many
> > parts; current default: 10
> >
> > Do you know, as maintainers, if this bug is fixed with that? One of the
> > reviewers already asked upstream [1] to see if we can get a confirmation
> > from there.
>
> This has been answered in the upstream ticket now:
> https://github.com/msimerson/mail-dmarc/issues/216#issuecomment-1945033737
>
> Hence closing the bug (at the first version after 1.947 which was
> uploaded to the Debian archive.)
As per
https://github.com/rjbs/Email-MIME/issues/66#issuecomment-2024085120
I'm reopening this issue. Let's consider it only as fixed once the
changes provided by rjbs are merged as well? Is that okay for you
Gregor?
Regards,
Salvatore
Changed Bug title to 'libemail-mime-perl: CVE-2024-4140: DoS on excessive or deeply nested parts' from 'libemail-mime-perl: DoS on excessive or deeply nested parts'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 02 May 2024 20:27:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri May 3 11:55:17 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.