Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686
Pali Rohár
pali.rohar at gmail.com
Wed Jul 12 16:51:06 UTC 2017
Package: libemail-address-perl
Version: 1.908-1
Severity: grave
Hi! Perl Email::Address module has CVE-2015-7686 defect, which means
that for specially prepared input, parse() method can take exponential
time for processing input buffer. Primary use of Email::Address was to
parse From/To/Cc email headers, which means that attacker could DOS
server application which uses this module for parsing emails.
Since 2015 there was no new release of Email::Address module and
meanwhile I created new module named: Email::Address::XS
https://metacpan.org/pod/Email::Address::XS
It has backward compatible API, but uses completely different way how to
parse input. It is written in C, instead of perl regexps and uses parts
of dovecot parses which was already widely tested.
Fixing current Email::Address is very hard if we want to aim two things:
1) RFC-correctness 2) polynomial time complexity in worst case
This is reason why I chose to write Email::Address::XS from scratch
instead of hacking Email::Address.
Due to fact that there is no new version of Email::Address for 2 years
which could address CVE-2015-7686 defect, I would suggest to drop
libemail-address-perl package from Debian completely.
That is probably not easy as more packages depends on libemail-address-
perl (Email::Address module). But because Email::Address::XS has
backward compatible API, it can be used as drop-in-replacement for
Email::Address.
Something like sed 's/Email::Address/Email::Address::XS/g' on sources of
3rd applications/modules should be enough.
And if not, I can help with porting existing perl applications in Debian
which uses Email::Address, to be compatible with Email::Address::XS.
--
Pali Rohár
pali.rohar at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20170712/b8bda427/attachment.sig>
More information about the pkg-perl-maintainers
mailing list