Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 719454 (CVE-2018-18898)

Summary: <dev-perl/Email-Address-List-0.60.0: Denial of service via parsing time complexity (CVE-2018-18898)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: kentnl, perl, titanofold
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-25 22:57:53 UTC
Description:
"The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-25 22:58:52 UTC
This seems to actually be a bug in Email-Address-List. Debian have tracked down the patches but 0.6 is fixed anyway.

So, @maintainer(s), please cleanup =dev-perl/Email-Address-List-0.50.0.
Comment 2 Larry the Git Cow gentoo-dev 2020-04-26 12:34:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5951fb95d5762ed1b84596148cdc3d441aac39f9

commit 5951fb95d5762ed1b84596148cdc3d441aac39f9
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-04-26 12:25:01 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-04-26 12:33:57 +0000

    dev-perl/Email-Address-List: Security cleanup 0.50.0 re bug #719454
    
    Removing versions affected by CVE-2018-18898
    
    Bug: https://bugs.gentoo.org/719454
    Bug: https://nvd.nist.gov/vuln/detail/CVE-2018-18898
    Bug: https://www.cvedetails.com/cve/CVE-2018-18898/
    Bug: https://docs.bestpractical.com/release-notes/rt/4.4.4
    Package-Manager: Portage-2.3.97, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 .../Email-Address-List-0.50.0.ebuild               | 33 ----------------------
 dev-perl/Email-Address-List/Manifest               |  1 -
 2 files changed, 34 deletions(-)
Comment 3 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2020-04-26 12:35:07 UTC
Cleanup done, over to sec to finish this off :)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-26 13:16:32 UTC
(In reply to Kent Fredric (IRC: kent\n) from comment #3)
> Cleanup done, over to sec to finish this off :)

Thanks!