Per http://seclists.org/oss-sec/2018/q2/211 ... <blockquote> Perl module Email::Address, also in the last version 1.909 is vulnerable to Algorithm Complexity problem and can cause Denial of Service when attacker prepares specially crafted input. Root of this problem is that parsing of email addresses in Email::Address module is done by regular expressions, which in perl can be exponential. The trivial input is 30 form-fields characters. You can test it with following oneliner: $ perl -MEmail::Address -E 'Email::Address->parse("\f" x 30)' Vulnerable are all applications which receive (untrusted) emails and parse address headers (From/To/Cc/...) by Email::Address module. Such application can be DOSed by sending email with 30 form-fields characters in From or To header. Note that this is not the only one problematic input, due to way how is Email::Address implemented it should be possible to prepare more non-trivial inputs. </blockquote> Further information:- * https://www.mail-archive.com/pep@perl.org/msg00544.html * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901873
Note that any applications that are reverse dependencies of Email::Address would ideally be modified to use Email::Address::XS instead. There is virtually no prospect of this issue being resolved in Email::Address.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=881118bfa7e587e634c5568c71b2251cc78665a4 commit 881118bfa7e587e634c5568c71b2251cc78665a4 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2019-07-10 14:17:30 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2019-07-10 14:17:30 +0000 dev-perl/Email-Address: Bump to version 1.912.0 re bug #658562 Upstream: - Add mitigation for DoS via pathologically constructed email addresses in CVE-2015-7686 and CVE-2015-12558 Bug: https://bugs.gentoo.org/658562 Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7686 Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12558 Package-Manager: Portage-2.3.66, Repoman-2.3.16 Signed-off-by: Kent Fredric <kentnl@gentoo.org> .../Email-Address/Email-Address-1.912.0.ebuild | 25 ++++++++++++++++++++++ dev-perl/Email-Address/Manifest | 1 + 2 files changed, 26 insertions(+)
Arches please stabilize dev-perl/Email-Address-1.912.0
ppc stable
amd64 stable
ppc64 stable
sparc stable
ia64 stable
x86 stable
alpha stable all arches stable
@maintainer(s), please cleanup by dropping vulnerable version 1.908.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78387a9ee6c848dab80b93b5475dc1e18228ab31 commit 78387a9ee6c848dab80b93b5475dc1e18228ab31 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-26 19:10:54 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-26 19:10:54 +0000 dev-perl/Email-Address: security cleanup (bug #658562) Bug: https://bugs.gentoo.org/658562 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../Email-Address/Email-Address-1.908.0.ebuild | 25 ---------------------- dev-perl/Email-Address/Manifest | 1 - 2 files changed, 26 deletions(-)
GLSA Vote: No Repository is clean, all done!