Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686
gregor herrmann
gregoa at debian.org
Sun Jul 22 15:47:00 BST 2018
On Sat, 07 Jul 2018 22:16:05 +0200, Pali Rohár wrote:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887547 - libperl-critic-perl
> Fixed in git and is awaiting for an upload.
And before that, packaging of the new prereq PPIx::QuoteLike ...
(ITP - #900590) http://bugs.debian.org/900590 libppix-quotelike-perl
Ok, will look at this now.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887548 - libregexp-common-email-address-perl
> Module just exports problematic regex and therefore needs to be removed
> together with Email::Address. The only one reverse dependency is duck.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887543 - libemail-find-perl
> Module has not been updated since 2007. So it is questionable if it ever
> going to be fixed. Reverse dependences are: cil, libhtml-fromtext-perl,
> libtemplate-plugin-clickable-email-perl.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887538 - libdata-validate-email-perl
> Patch for that module is attached in the bug tracker. As upstream does
> not have any git repository nor way for creating a pull requests,
> somebody need to try contacting upstream and sending them prepared
> patch.
Patch applied, and forwarded upstream:
https://rt.cpan.org/Ticket/Display.html?id=125903
Package uploaded.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887542 - libemail-address-list-perl
> Module exports similar set of regexes as Email::Address and depends on
> Email::Address. So it is not easy to fix it. But Email::Address::XS
> provides functionality offered by Email::Address::List and the only
> reverse dependency is request-tracker4. So it should be removed together
> with Email::Address.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887551 - request-tracker4
> Last update is from April that upstream is going to look at this problem
> for 4.6 cycle.
>
> So for two packages from six are patches available, just needs to be
> send to upstream. Are you as Debian downstream maintainers handle those
> two Data::Validate::Email and Perl::Critic modules and try to find
> contact of upstream projects?
Done for Data::Validate::Email; for Perl::Critic there's nothing left
to do as 1.32 has dropped the requirement for Email::Address.
> About request-tracker4 can you try to check what is current state?
>
> And about remaining, should I fill a bug for duck, cil,
> libhtml-fromtext-perl and libtemplate-plugin-clickable-email-perl
> packages? Or do you have a better idea how to handle
> libregexp-common-email-address-perl and libemail-find-perl?
Well, the question is what the bug reports are about or what the
packages are supposed to do.
duck is Debian specific, so it should be possible to come up with a
fix; for the others I'd suggest to discuss this with upstream first.
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`- NP: Rebekka Bakken & Wolfgang Muthspiel: Emotions On A Lazy Day
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20180722/54e77b20/attachment-0001.sig>
More information about the pkg-perl-maintainers
mailing list