Bug#887536: dh-make-perl depends on libemail-address-perl
Damyan Ivanov
dmn at debian.org
Thu May 24 20:30:01 BST 2018
-=| Pali Rohár, 19.05.2018 18:18:03 +0200 |=-
> On Saturday 19 May 2018 15:28:14 gregor herrmann wrote:
> > On Wed, 17 Jan 2018 20:50:05 +0100, Pali Rohár wrote:
> >
> > > Hi! Package dh-make-perl depends on libemail-address-perl which is
> > > vulnerable to CVE-2015-7686, see bug #868170. libemail-address-perl
> > > provides perl module Email::Address which is now unmaintained. There is
> > > a new perl module Email::Address::XS which is API compatible replacement
> > > for Email::Address and is available in libemail-address-xs-perl. Please
> > > port dh-make-perl package to use libemail-address-xs-perl.
> >
> > dh-make-perl uses
> >
> > % grep -r Email::Address
> > Build.PL: 'Email::Address' => 0,
> > lib/DhMakePerl/Command/Packaging.pm:use Email::Address;
> > lib/DhMakePerl/Command/Packaging.pm:my $EMAIL_RE = $Email::Address::addr_spec;
> >
> > And I think there is no ::addr_spec in libemail-address-xs-perl?
>
> Yes, Email::Address::XS does not have these regexes defined.
>
> > > If you need
> > > help with porting let me know.
> > >
> > Yes, please :)
>
> I looked at that Packaging.pm file and I'm really not sure that it is
> doing...
>
> For me it looks like that $PERSON_PARSE_RE just extract phrase (display
> name) from the email address. For this action simple ->parse() method
> should be enough and then ->phrase() would return it.
>
> $EMAIL_CHANGES_RE seems to extract list of pairs <name, bare_address>
> which matches some specific format. So the only thing needed here is to
> check if _address_ is really email address without phrase and angle
> brackets. For parsing ->parse_bare_address() method can be used and then
> check ->address() that returned something.
>
> I created patch with these changes, but I'm not sure if it is correct
> due to fact that I do not know what that code should do. So it would be
> needed to properly test these changes.
>
> Anyway, do you really need to parse email address according to RFC2822?
> And is not (.*) in these cases enough?
>
> Here is patch:
Thanks.
FWIW this code is from Nicolas Bamber and deals with filling
debian/copyright from the contents of debian/changelog. This is used
by 'dh-make-perl refresh' and is probably used in some part of the
test suite.
So I'd say go ahead and apply the patch as it is and either hope that
somebody will notice if something broke or add a test that explicitly
covers that specific aspect.
-- dam
More information about the pkg-perl-maintainers
mailing list