Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686
Pali Rohár
pali.rohar at gmail.com
Wed Aug 29 09:57:50 BST 2018
On Thursday 26 July 2018 15:48:31 Pali Rohár wrote:
> On Sunday 22 July 2018 16:47:00 gregor herrmann wrote:
> > On Sat, 07 Jul 2018 22:16:05 +0200, Pali Rohár wrote:
> > > And about remaining, should I fill a bug for duck, cil,
> > > libhtml-fromtext-perl and libtemplate-plugin-clickable-email-perl
> > > packages? Or do you have a better idea how to handle
> > > libregexp-common-email-address-perl and libemail-find-perl?
> >
> > Well, the question is what the bug reports are about or what the
> > packages are supposed to do.
> > duck is Debian specific, so it should be possible to come up with a
> > fix; for the others I'd suggest to discuss this with upstream first.
>
> Email::Find has last release from year 2007 and has open 6 years bugs:
> https://metacpan.org/pod/Email::Find
> https://rt.cpan.org/Public/Dist/Display.html?Name=Email-Find
>
> And Regexp::Common::Email::Address is from year 2005:
> https://metacpan.org/pod/Regexp::Common::Email::Address
> https://rt.cpan.org/Public/Dist/Display.html?Name=Regexp-Common-Email-Address
>
> Dependent modules:
>
> HTML::FromText is from same author as Email::Address:
> https://metacpan.org/pod/HTML::FromText
>
> And Template::Plugin::Clickable::Email had only one version, year 2005:
> https://metacpan.org/pod/Template::Plugin::Clickable::Email
>
> So it does not look like there is active development...
Well, what are the next steps then? I think I did everything what I
could and probably cannot help more with investigation.
--
Pali Rohár
pali.rohar at gmail.com
More information about the pkg-perl-maintainers
mailing list