Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686

Salvatore Bonaccorso carnil at debian.org
Thu Jul 13 13:08:38 UTC 2017 

Control: severity -1 important

Hi Pali

On Wed, Jul 12, 2017 at 06:51:06PM +0200, Pali Rohár wrote:
> Package: libemail-address-perl
> Version: 1.908-1
> Severity: grave
> 
> Hi! Perl Email::Address module has CVE-2015-7686 defect, which means 
> that for specially prepared input, parse() method can take exponential 
> time for processing input buffer. Primary use of Email::Address was to 
> parse From/To/Cc email headers, which means that attacker could DOS 
> server application which uses this module for parsing emails.
> 
> Since 2015 there was no new release of Email::Address module and 
> meanwhile I created new module named: Email::Address::XS
> 
> https://metacpan.org/pod/Email::Address::XS
> 
> It has backward compatible API, but uses completely different way how to 
> parse input. It is written in C, instead of perl regexps and uses parts 
> of dovecot parses which was already widely tested.
> 
> Fixing current Email::Address is very hard if we want to aim two things: 
> 1) RFC-correctness 2) polynomial time complexity in worst case
> 
> This is reason why I chose to write Email::Address::XS from scratch 
> instead of hacking Email::Address.
> 
> Due to fact that there is no new version of Email::Address for 2 years 
> which could address CVE-2015-7686 defect, I would suggest to drop 
> libemail-address-perl package from Debian completely.
> 
> That is probably not easy as more packages depends on libemail-address-
> perl (Email::Address module). But because Email::Address::XS has 
> backward compatible API, it can be used as drop-in-replacement for 
> Email::Address.
> 
> Something like sed 's/Email::Address/Email::Address::XS/g' on sources of 
> 3rd applications/modules should be enough.
> 
> And if not, I can help with porting existing perl applications in Debian 
> which uses Email::Address, to be compatible with Email::Address::XS.

Thanks. Yes CVE-2015-7686 is longstanding affecting Email::Address.
This IMHO is no reason to mark it as severity grave. Rather IMHO the
following should be done:

1/ lower the severity to non-RC. 
2/ package Email::Address::XS for Debian
3/ For every package in Debian (build-)depending on
   libemail-address-perl fill a wishlist bug to have the package "ported"
   (done preferably first upstream) on the new module. Later on when
   given enough time to maintainers those might be raised to
   important.
4/ Choose an usertag for user debian-perl at lists.debian.org to track
   the issues and tag them.
5/ once all applications have switched to libemail-address-xs-perl,
   fill a removal bug for libemail-address-perl.

Hope this helps so far, and is complete,

Regards,
Salvatore

More information about the pkg-perl-maintainers mailing list