Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686

Pali Rohár pali.rohar at gmail.com
Thu Jan 18 17:10:38 UTC 2018


On Thursday 18 January 2018 17:54:16 gregor herrmann wrote:
> Thinking about upstream, I had another idea: If Email-Address is
> unmaintained on the CPAN, you could take it over (request co-maint)
> and then
> - change Email::Address to a wrapper around Email::Address::XS;
> - or remove the Email-Address distro and move the Email::Address
>   module, again changed to a wrapper, into the Email-Address-XS
>   distribution;
> - or, maybe least controversial, improve Email::Address to load
>   Email::Address::XS if it's installed. In that case we could in
>   Debian just add a dependency on libemail-address-xs-perl to
>   libemail-address-perl.

I had a discussion about Email::Address module and decision was to not
do such things as Email::Address is pure Perl module and
Email::Address::XS needs C compiler. There are lot of Perl systems where
C compiler is not available and there only pure Perl modules can be
installed/loaded.

-- 
Pali Rohár
pali.rohar at gmail.com



More information about the pkg-perl-maintainers mailing list