Bug#922854: libemail-address-perl: Package is vulnerable to a DoS attack via pathological input

[Marc Ballarin]

Package: libemail-address-perl
Version: 1.908-1
Severity: normal
Tags: upstream,security

Dear Maintainer,

the version of libemail-address-perl shipped in Stretch suffers from a
DoS vulnerability that is already fixed in upstream release 1.912
(already in Buster/sid).
The upstream bug is https://github.com/Perl-Email-Project/Email-Address/issues/19 but we hit this issue in production before discovering that, so it is quite relevant.

Here is a short script that illustrates the problem:

#!/usr/bin/perl

use 5.014;
use warnings;
use Email::Address;
use Time::HiRes qw(gettimeofday tv_interval);

my $num_pairs = 0;
while ($num_pairs++ < 30) {
    my $candidate = '()' x $num_pairs;
    my $start_time = [gettimeofday];
    Email::Address->parse($candidate);
    say "$num_pairs pairs: " . tv_interval($start_time);
}

With the version in Stretch, this script will suffer from exponential
runtime. Using the upstream version, the increase is linear.

Note: This also affects people using
Data::Validate::Email::is_email_rfc822() (this is how we hit it), since
this uses the faulty regular expression from Email::Address. There
should be no need to update Data::Validate::Email, though.

Regards,
Marc

-- System Information:
Debian Release: 9.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libemail-address-perl depends on:
ii  perl  5.24.1-3+deb9u5

libemail-address-perl recommends no packages.

libemail-address-perl suggests no packages.

-- no debconf information