Debian Bug report logs -
#901873
CVE-2018-12558: DOS vulnerability in perl module Email::Address
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#901873; Package libemail-address-perl.
(Tue, 19 Jun 2018 17:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Pali Rohár <pali.rohar@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Tue, 19 Jun 2018 17:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libemail-address-perl
Version: 1.909-1
Perl module Email::Address, also in the last version 1.909 is vulnerable
to Algorithm Complexity problem and can cause Denial of Service when
attacker prepares specially crafted input. Root of this problem is that
parsing of email addresses in Email::Address module is done by regular
expressions, which in perl can be exponential.
The trivial input is 30 form-fields characters. You can test it with
following oneliner:
$ perl -MEmail::Address -E 'Email::Address->parse("\f" x 30)'
Vulnerable are all applications which receive (untrusted) emails and
parse address headers (From/To/Cc/...) by Email::Address module. Such
application can be DOSed by sending email with 30 form-fields characters
in From or To header.
Note that this is not the only one problematic input, due to way how is
Email::Address implemented it should be possible to prepare more
non-trivial inputs.
This problem was already reported to Debian Security Team and they
suggested to ask MITRE for assigning CVE identifier. MITRE now assigned
CVE-2018-12558.
--
Pali Rohár
pali.rohar@gmail.com
[signature.asc (application/pgp-signature, inline)]
Added tag(s) upstream and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 19 Jun 2018 18:54:02 GMT) (full text, mbox, link).
Reply sent
to gregor herrmann <gregoa@debian.org>:
You have taken responsibility.
(Wed, 02 Jan 2019 22:39:05 GMT) (full text, mbox, link).
Notification sent
to Pali Rohár <pali.rohar@gmail.com>:
Bug acknowledged by developer.
(Wed, 02 Jan 2019 22:39:05 GMT) (full text, mbox, link).
Message #14 received at 901873-close@bugs.debian.org (full text, mbox, reply):
Source: libemail-address-perl
Source-Version: 1.912-1
We believe that the bug you reported is fixed in the latest version of
libemail-address-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901873@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libemail-address-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 2 Jan 2019 23:23:17 CET
Source: libemail-address-perl
Binary: libemail-address-perl
Architecture: source
Version: 1.912-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description:
libemail-address-perl - Perl module for RFC 2822 address parsing and creation
Closes: 868170 901873
Changes:
libemail-address-perl (1.912-1) unstable; urgency=medium
.
* Team upload.
.
* Import upstream version 1.911.
Fixes the following bugs:
- "Email::Address->parse() is vulnerable to CVE-2015-7686"
(Closes: #868170)
- "CVE-2018-12558: DOS vulnerability in perl module Email::Address"
(Closes: #901873)
* Declare compliance with Debian Policy 4.3.0.
* Bump debhelper compatibility level to 11.
* Remove trailing whitespace from debian/*.
* Remove deprecation warning from debian/control.
* Update lintian override (changed tag for some non-issue).
.
* Import upstream version 1.912, containing a documentation update.
* Update years of packaging copyright.
Checksums-Sha256:
411c45c9fb23fd5d177cf0b6c9324b3f1923e4af33b8115c0c13608085ef98bc 2317 libemail-address-perl_1.912-1.dsc
0fa3785298cc2f6780e63e3a5fb1ca814dcbc360ceb59ed8fa84eb4ffa06f9ef 42390 libemail-address-perl_1.912.orig.tar.gz
028c948767fec4db7dde6cad15ee417f5802da54e1ddea3a2fe57b00ca877ea9 4128 libemail-address-perl_1.912-1.debian.tar.xz
60a6b8b640500e2f6671b31a33434f6b7e26e4aeedb01d816ff92c4e4ef6a33d 5536 libemail-address-perl_1.912-1_sourceonly.buildinfo
Checksums-Sha1:
6d204ac1bc84c8fd9bb5cb9ce8eee9e6e6ef2e39 2317 libemail-address-perl_1.912-1.dsc
09435ccc6559572f26835608086a8c00ccb6d21a 42390 libemail-address-perl_1.912.orig.tar.gz
4018636cab4d8ec2eff7eac120726ae764e271fc 4128 libemail-address-perl_1.912-1.debian.tar.xz
671c7ed076e60af618146900c966c7bfab1019ef 5536 libemail-address-perl_1.912-1_sourceonly.buildinfo
Files:
c9c834eae386018aab1472c73bab1930 2317 perl optional libemail-address-perl_1.912-1.dsc
24a75497f11e8a8225cb6d99a5e6e647 42390 perl optional libemail-address-perl_1.912.orig.tar.gz
3408b1daff8b0e93a71c0a5f085bdfae 4128 perl optional libemail-address-perl_1.912-1.debian.tar.xz
bdf08e30c7e17e6112aa22e3f898d27f 5536 - - libemail-address-perl_1.912-1_sourceonly.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlwtOdZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYwORAAl6QYP4EbJb4PebeBcOW0UVx6y6FaqTb17Q3at7n/6wH5oUHucmKkf2kQ
ZhTr+3zXMqnGobAC8M/WSMZNj4a+HmzmOAmUKOc/wsvsw417fgOkNBdn3+QKhs3n
R7KK1VQV93pHH0jPXOJ9IN6nf8d7nDrKodHtV7qHtQSXxefcJ7N3R/0zOt28o9vM
Usd6HwabCgpe7YfM9txoHOhT0j8PptZzy3GRt+QS8Z4XLZMaLyWid5SpcxV3kdmJ
fGpHDni0jDK+OEJJdttpOpPG+8/6IT5RXFq6uOb+GhaZNmL4pFe2FTn0fthL088/
muPMwc5fVnQZaDmK929+A08O3DKlxjg+NzJpOmR1aKmT1ih/qYIAEiDlzCOyM5wI
0kKY75IAKQuo7PElBZ7jiZP24loOESIWD2hms3P435CFTurf2U2lGly/kPQYF4un
jQIph9eSNqMsIaHOm14rmzzxlrPG12bAXz/baSWHZDUCURBZ9yGmmnb9EiIbVdpK
NV24dkiF0zgubaS76G3xWf9R19Gp576udzjlQQ5zcvIQnj2ELo56jEQKBiUREIRw
/ae54QKHQjWMKgFIA58Su+I6YaKmZUCpfEAdgLxEbbhu815C6Wu+yZRNUs7dJvhv
hhCdWZ6IxTAWAoptofhVuzqxqOui8SZD8eRFrQHFDWafg+6XZ6g=
=VQY4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 02 Feb 2019 07:31:59 GMT) (full text, mbox, link).
Bug unarchived.
Request was from gregor herrmann <gregoa@debian.org>
to control@bugs.debian.org.
(Thu, 21 Feb 2019 13:21:03 GMT) (full text, mbox, link).
Marked as found in versions libemail-address-perl/1.908-1.
Request was from gregor herrmann <gregoa@debian.org>
to control@bugs.debian.org.
(Thu, 21 Feb 2019 13:21:04 GMT) (full text, mbox, link).
Marked as fixed in versions libemail-address-perl/1.908-1+deb9u1.
Request was from gregor herrmann <gregoa@debian.org>
to control@bugs.debian.org.
(Thu, 21 Feb 2019 13:21:04 GMT) (full text, mbox, link).
Bug archived.
Request was from gregor herrmann <gregoa@debian.org>
to control@bugs.debian.org.
(Thu, 21 Feb 2019 13:21:05 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 21 Feb 2019 14:03:05 GMT) (full text, mbox, link).
Merged 901873 922854
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 21 Feb 2019 14:03:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 21 Feb 2019 14:03:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:39:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon