Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658562 (CVE-2018-12558) - <dev-perl/Email-Address-1.912.0: Denial of Service (CVE-2018-12558)
Summary: <dev-perl/Email-Address-1.912.0: Denial of Service (CVE-2018-12558)
Status: RESOLVED FIXED
Alias: CVE-2018-12558
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2018/q2/211
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-20 12:13 UTC by Kerin Millar
Modified: 2020-03-26 19:11 UTC (History)
1 user (show)

See Also:
Package list:
dev-perl/Email-Address-1.912.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kerin Millar 2018-06-20 12:13:33 UTC
Per http://seclists.org/oss-sec/2018/q2/211 ...

<blockquote>

Perl module Email::Address, also in the last version 1.909 is vulnerable
to Algorithm Complexity problem and can cause Denial of Service when
attacker prepares specially crafted input. Root of this problem is that
parsing of email addresses in Email::Address module is done by regular
expressions, which in perl can be exponential.

The trivial input is 30 form-fields characters. You can test it with
following oneliner:

$ perl -MEmail::Address -E 'Email::Address->parse("\f" x 30)'

Vulnerable are all applications which receive (untrusted) emails and
parse address headers (From/To/Cc/...) by Email::Address module. Such
application can be DOSed by sending email with 30 form-fields characters
in From or To header.

Note that this is not the only one problematic input, due to way how is
Email::Address implemented it should be possible to prepare more
non-trivial inputs.

</blockquote>

Further information:-

* https://www.mail-archive.com/pep@perl.org/msg00544.html
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901873
Comment 1 Kerin Millar 2018-06-20 12:52:21 UTC
Note that any applications that are reverse dependencies of Email::Address would ideally be modified to use Email::Address::XS instead. There is virtually no prospect of this issue being resolved in Email::Address.
Comment 2 Larry the Git Cow gentoo-dev 2019-07-10 14:17:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=881118bfa7e587e634c5568c71b2251cc78665a4

commit 881118bfa7e587e634c5568c71b2251cc78665a4
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2019-07-10 14:17:30 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2019-07-10 14:17:30 +0000

    dev-perl/Email-Address: Bump to version 1.912.0 re bug #658562
    
    Upstream:
    - Add mitigation for DoS via pathologically constructed email addresses
      in CVE-2015-7686 and CVE-2015-12558
    
    Bug: https://bugs.gentoo.org/658562
    Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7686
    Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12558
    Package-Manager: Portage-2.3.66, Repoman-2.3.16
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 .../Email-Address/Email-Address-1.912.0.ebuild     | 25 ++++++++++++++++++++++
 dev-perl/Email-Address/Manifest                    |  1 +
 2 files changed, 26 insertions(+)
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2019-10-13 15:08:11 UTC
Arches please stabilize dev-perl/Email-Address-1.912.0
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-14 11:08:09 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-10-14 11:16:26 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-14 11:25:10 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-14 11:31:24 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-14 11:47:06 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-10-14 11:50:10 UTC
x86 stable
Comment 10 Matt Turner gentoo-dev 2019-11-17 04:04:35 UTC
alpha stable

all arches stable
Comment 11 Sam James archtester gentoo-dev Security 2020-03-26 18:09:11 UTC
@maintainer(s), please cleanup by dropping vulnerable version 1.908.0.
Comment 12 Larry the Git Cow gentoo-dev 2020-03-26 19:11:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78387a9ee6c848dab80b93b5475dc1e18228ab31

commit 78387a9ee6c848dab80b93b5475dc1e18228ab31
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-26 19:10:54 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-26 19:10:54 +0000

    dev-perl/Email-Address: security cleanup (bug #658562)
    
    Bug: https://bugs.gentoo.org/658562
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../Email-Address/Email-Address-1.908.0.ebuild     | 25 ----------------------
 dev-perl/Email-Address/Manifest                    |  1 -
 2 files changed, 26 deletions(-)
Comment 13 Thomas Deutschmann gentoo-dev Security 2020-03-26 19:11:33 UTC
GLSA Vote: No

Repository is clean, all done!