Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686
Pali Rohár
pali.rohar at gmail.com
Sat Jul 7 21:16:05 BST 2018
Hi! Here is update summary.
Currently there are only six open blocked bugs and their state is:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887547 - libperl-critic-perl
Fixed in git and is awaiting for an upload.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887548 - libregexp-common-email-address-perl
Module just exports problematic regex and therefore needs to be removed
together with Email::Address. The only one reverse dependency is duck.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887543 - libemail-find-perl
Module has not been updated since 2007. So it is questionable if it ever
going to be fixed. Reverse dependences are: cil, libhtml-fromtext-perl,
libtemplate-plugin-clickable-email-perl.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887538 - libdata-validate-email-perl
Patch for that module is attached in the bug tracker. As upstream does
not have any git repository nor way for creating a pull requests,
somebody need to try contacting upstream and sending them prepared
patch.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887542 - libemail-address-list-perl
Module exports similar set of regexes as Email::Address and depends on
Email::Address. So it is not easy to fix it. But Email::Address::XS
provides functionality offered by Email::Address::List and the only
reverse dependency is request-tracker4. So it should be removed together
with Email::Address.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887551 - request-tracker4
Last update is from April that upstream is going to look at this problem
for 4.6 cycle.
So for two packages from six are patches available, just needs to be
send to upstream. Are you as Debian downstream maintainers handle those
two Data::Validate::Email and Perl::Critic modules and try to find
contact of upstream projects?
About request-tracker4 can you try to check what is current state?
And about remaining, should I fill a bug for duck, cil,
libhtml-fromtext-perl and libtemplate-plugin-clickable-email-perl
packages? Or do you have a better idea how to handle
libregexp-common-email-address-perl and libemail-find-perl?
--
Pali Rohár
pali.rohar at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20180707/8be57296/attachment.sig>
More information about the pkg-perl-maintainers
mailing list