libemail-mime-perl: CVE-2024-4140: DoS on excessive or deeply nested parts

Debian Bug report logs - #960062
libemail-mime-perl: CVE-2024-4140: DoS on excessive or deeply nested parts

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Perl Email user <p5p@yhbt.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libemail-mime-perl: DoS on excessive or deeply nested parts

Date: Fri, 08 May 2020 21:58:27 +0000

Package: libemail-mime-perl
Version: 1.946-1
Severity: important
Tags: upstream

Messages with too many tiny MIME parts can OOM on split().

Messages with many nested MIME parts can also fail on deep
recursion (Email::MIME->new calls ->subparts, ->subparts calls
->new, ad infinitum).

Smallish messages can generate these, since the a boundary
only needs to be 4 bytes "--a\n" and the header+body of
each part can just be 4 bytes "x:y\n\n", too.

Perl takes 42 bytes to represent a 4 byte string on 64-bit:

	use Devel::Size; say Devel::Size::total_size("--\n\n")

This affects many other MIME parsers, too.

Message #10 received at 960062@bugs.debian.org (full text, mbox, reply):

From: Perl Email user <p5p@yhbt.net>

To: 960062@bugs.debian.org

Subject: Re: Bug#960062: Acknowledgement (libemail-mime-perl: DoS on excessive or deeply nested parts)

Date: Fri, 8 May 2020 22:11:42 +0000

tags 960062 + security
quit

Oops, forgot security tag :x

Message #19 received at 960062@bugs.debian.org (full text, mbox, reply):

From: Miriam Espana Acebal <miriam.espana@canonical.com>

To: 960062@bugs.debian.org

Date: Tue, 28 Nov 2023 11:43:27 +0100

[Message part 1 (text/plain, inline)]

Hi,

I'm working on this package on Ubuntu, to promote it from universe to main.
I saw this bug, and it could be a blocker for that process. Reading the
changes files,
the following entry seems to be related (per the comments on
upstream's issue [1] too):

         1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
        - add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that
many
          parts; current default: 10

Do you know, as maintainers, if this bug is fixed with that?  One of the
reviewers already asked upstream [1] to see if we can get a confirmation
from there.

Any clue is highly appreciated... thanks in advance.

Miriam (mirespace)

[1] *https://github.com/rjbs/Email-MIME/issues/66
<https://github.com/rjbs/Email-MIME/issues/66> *
-- 
Miriam España Acebal
Software Engineer II - Ubuntu PublicCloud/Server
Canonical Ltd.

[Message part 2 (text/html, inline)]

Message #24 received at 960062-done@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: Miriam Espana Acebal <miriam.espana@canonical.com>, 960062-done@bugs.debian.org

Subject: Re: Bug#960062:

Date: Wed, 21 Feb 2024 20:55:24 +0100

[Message part 1 (text/plain, inline)]

Version: 1.949-1

On Tue, 28 Nov 2023 11:43:27 +0100, Miriam Espana Acebal wrote:

> I'm working on this package on Ubuntu, to promote it from universe to main.
> I saw this bug, and it could be a blocker for that process. Reading the
> changes files,
> the following entry seems to be related (per the comments on
> upstream's issue [1] too):
> 
>          1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
>         - add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that
> many
>           parts; current default: 10
> 
> Do you know, as maintainers, if this bug is fixed with that?  One of the
> reviewers already asked upstream [1] to see if we can get a confirmation
> from there.

This has been answered in the upstream ticket now:
https://github.com/msimerson/mail-dmarc/issues/216#issuecomment-1945033737

Hence closing the bug (at the first version after 1.947 which was
uploaded to the Debian archive.)


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 960062@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 960062@bugs.debian.org, gregoa@debian.org

Cc: Perl Email user <p5p@yhbt.net>

Subject: Re: Bug#960062 closed by gregor herrmann <gregoa@debian.org> (Re: Bug#960062:)

Date: Thu, 2 May 2024 09:55:35 +0200

Hi 

On Wed, Feb 21, 2024 at 07:57:06PM +0000, Debian Bug Tracking System wrote:
[...]
> Version: 1.949-1
> 
> On Tue, 28 Nov 2023 11:43:27 +0100, Miriam Espana Acebal wrote:
> 
> > I'm working on this package on Ubuntu, to promote it from universe to main.
> > I saw this bug, and it could be a blocker for that process. Reading the
> > changes files,
> > the following entry seems to be related (per the comments on
> > upstream's issue [1] too):
> > 
> >          1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
> >         - add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that
> > many
> >           parts; current default: 10
> > 
> > Do you know, as maintainers, if this bug is fixed with that?  One of the
> > reviewers already asked upstream [1] to see if we can get a confirmation
> > from there.
> 
> This has been answered in the upstream ticket now:
> https://github.com/msimerson/mail-dmarc/issues/216#issuecomment-1945033737
> 
> Hence closing the bug (at the first version after 1.947 which was
> uploaded to the Debian archive.)

As per
https://github.com/rjbs/Email-MIME/issues/66#issuecomment-2024085120
I'm reopening this issue. Let's consider it only as fixed once the
changes provided by rjbs are merged as well? Is that okay for you
Gregor?

Regards,
Salvatore

Send a report that this bug log contains spam.