Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719454 (CVE-2018-18898) - <dev-perl/Email-Address-List-0.60.0: Denial of service via parsing time complexity (CVE-2018-18898)
Summary: <dev-perl/Email-Address-List-0.60.0: Denial of service via parsing time compl...
Status: RESOLVED FIXED
Alias: CVE-2018-18898
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-25 22:57 UTC by Sam James
Modified: 2020-05-04 01:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-04-25 22:57:53 UTC
Description:
"The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing."
Comment 1 Sam James gentoo-dev Security 2020-04-25 22:58:52 UTC
This seems to actually be a bug in Email-Address-List. Debian have tracked down the patches but 0.6 is fixed anyway.

So, @maintainer(s), please cleanup =dev-perl/Email-Address-List-0.50.0.
Comment 2 Larry the Git Cow gentoo-dev 2020-04-26 12:34:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5951fb95d5762ed1b84596148cdc3d441aac39f9

commit 5951fb95d5762ed1b84596148cdc3d441aac39f9
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-04-26 12:25:01 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-04-26 12:33:57 +0000

    dev-perl/Email-Address-List: Security cleanup 0.50.0 re bug #719454
    
    Removing versions affected by CVE-2018-18898
    
    Bug: https://bugs.gentoo.org/719454
    Bug: https://nvd.nist.gov/vuln/detail/CVE-2018-18898
    Bug: https://www.cvedetails.com/cve/CVE-2018-18898/
    Bug: https://docs.bestpractical.com/release-notes/rt/4.4.4
    Package-Manager: Portage-2.3.97, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 .../Email-Address-List-0.50.0.ebuild               | 33 ----------------------
 dev-perl/Email-Address-List/Manifest               |  1 -
 2 files changed, 34 deletions(-)
Comment 3 Kent Fredric (IRC: kent\n) gentoo-dev 2020-04-26 12:35:07 UTC
Cleanup done, over to sec to finish this off :)
Comment 4 Sam James gentoo-dev Security 2020-04-26 13:16:32 UTC
(In reply to Kent Fredric (IRC: kent\n) from comment #3)
> Cleanup done, over to sec to finish this off :)

Thanks!