Bug#887536: dh-make-perl depends on libemail-address-perl
Pali Rohár
pali.rohar at gmail.com
Tue Jun 26 13:26:00 BST 2018
On Saturday 19 May 2018 18:18:03 Pali Rohár wrote:
> On Saturday 19 May 2018 15:28:14 gregor herrmann wrote:
> > On Wed, 17 Jan 2018 20:50:05 +0100, Pali Rohár wrote:
> >
> > > Hi! Package dh-make-perl depends on libemail-address-perl which is
> > > vulnerable to CVE-2015-7686, see bug #868170. libemail-address-perl
> > > provides perl module Email::Address which is now unmaintained. There is
> > > a new perl module Email::Address::XS which is API compatible replacement
> > > for Email::Address and is available in libemail-address-xs-perl. Please
> > > port dh-make-perl package to use libemail-address-xs-perl.
> >
> > dh-make-perl uses
> >
> > % grep -r Email::Address
> > Build.PL: 'Email::Address' => 0,
> > lib/DhMakePerl/Command/Packaging.pm:use Email::Address;
> > lib/DhMakePerl/Command/Packaging.pm:my $EMAIL_RE = $Email::Address::addr_spec;
> >
> > And I think there is no ::addr_spec in libemail-address-xs-perl?
>
> Yes, Email::Address::XS does not have these regexes defined.
>
> > > If you need
> > > help with porting let me know.
> > >
> > Yes, please :)
>
> I looked at that Packaging.pm file and I'm really not sure that it is
> doing...
>
> For me it looks like that $PERSON_PARSE_RE just extract phrase (display
> name) from the email address. For this action simple ->parse() method
> should be enough and then ->phrase() would return it.
>
> $EMAIL_CHANGES_RE seems to extract list of pairs <name, bare_address>
> which matches some specific format. So the only thing needed here is to
> check if _address_ is really email address without phrase and angle
> brackets. For parsing ->parse_bare_address() method can be used and then
> check ->address() that returned something.
>
> I created patch with these changes, but I'm not sure if it is correct
> due to fact that I do not know what that code should do. So it would be
> needed to properly test these changes.
>
> Anyway, do you really need to parse email address according to RFC2822?
> And is not (.*) in these cases enough?
>
> Here is patch:
>
> diff --git a/Build.PL b/Build.PL
> index eb88fa8..a54fc0f 100644
> --- a/Build.PL
> +++ b/Build.PL
> @@ -25,7 +25,7 @@ my $builder = My::Builder->new(
> 'Cwd' => 0,
> 'Dpkg' => 0,
> 'Dpkg::Source::Package' => '1.01',
> - 'Email::Address' => 0,
> + 'Email::Address::XS' => '1.01',
> 'Email::Date::Format' => 0,
> 'File::Basename' => 0,
> 'File::Copy' => 0,
> diff --git a/lib/DhMakePerl/Command/Packaging.pm b/lib/DhMakePerl/Command/Packaging.pm
> index 8f14caa..9fb9a9e 100644
> --- a/lib/DhMakePerl/Command/Packaging.pm
> +++ b/lib/DhMakePerl/Command/Packaging.pm
> @@ -35,6 +35,7 @@ use Debian::Control::FromCPAN;
> use Debian::Dependencies;
> use Debian::Rules;
> use DhMakePerl::PodParser ();
> +use Email::Address::XS 1.01;
> use File::Basename qw(basename dirname);
> use File::Find qw(find);
> use File::Path ();
> @@ -1210,31 +1211,6 @@ sub upsurl {
> }
>
>
> -my $ACTUAL_NAME_RE = '\pL[\s\pL\-\'\.]*\pL';
> -
> -# See http://www.faqs.org/rfcs/rfc2822.html
> -# Section 3.4.1
> -use Email::Address;
> -my $EMAIL_RE = $Email::Address::addr_spec;
> -
> -my $EMAIL_CHANGES_RE = qr{
> - ^ # beginining of line
> - \s+\*\s # item marker
> - Email\schange:\s # email change token
> - ($ACTUAL_NAME_RE) # actual name
> - \s+->\s+ # gap between name and email
> - ($EMAIL_RE) # email address
> - $ # end of line
> -}xms;
> -
> -my $PERSON_PARSE_RE = qr{
> - \A # beginining of string
> - ($ACTUAL_NAME_RE) # actual name
> - \s # gap
> - \<$EMAIL_RE\> # logged email
> - \z # end of string
> -}xms;
> -
> # This is what needs fixing.
> sub copyright_from_changelog {
> my ( $self, $firstmaint, $firstyear ) = @_;
> @@ -1248,17 +1224,23 @@ sub copyright_from_changelog {
> my $date = $_->Date;
> my @date_pieces = split( " ", $date );
> my $year = $date_pieces[3];
> - if (my %changes = ($_->Changes =~ m/$EMAIL_CHANGES_RE/xmsg)) {
> + if (my %changes = ($_->Changes =~ m/^\s+\*\sEmail\schange:\s+(.*?)\s+->\s+(.*?)\s*$/xmsg)) {
> # This way round since we are going backward in time thru changelog
> foreach my $p (keys %changes) {
> - $changes{$p} =~ s{[\s\n]+$}{}xms;
> + # Parse bare email address; undef if it not an email address
> + my $address = Email::Address::XS->parse_bare_address($changes{$p})->address();
> + if ($address) {
> + $changes{$p} = $address;
> + } else {
> + delete $changes{$p};
> + }
> }
> %email_changes = (
> %changes,
> %email_changes
> );
> }
> - if (my ($name) = ($person =~ $PERSON_PARSE_RE)) {
> + if (my $name = Email::Address::XS->parse($person)->phrase()) {
> if (exists $email_changes{$name}) {
> $person = "$name <$email_changes{$name}>";
> }
>
>
Seems that very similar code is in license-reconcile package. So very
similar patch like above should be applied also for license-reconcile
package (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887550).
Or maybe you should de-duplicate code and having common functions only
in place...
--
Pali Rohár
pali.rohar at gmail.com
More information about the pkg-perl-maintainers
mailing list