Bug#922854: libemail-address-perl: Package is vulnerable to a DoS attack via pathological input
Marc Ballarin
marc.ballarin at ionos.com
Thu Feb 21 12:46:10 GMT 2019
Package: libemail-address-perl
Version: 1.908-1
Severity: normal
Tags: upstream,security
Dear Maintainer,
the version of libemail-address-perl shipped in Stretch suffers from a
DoS vulnerability that is already fixed in upstream release 1.912
(already in Buster/sid).
The upstream bug is https://github.com/Perl-Email-Project/Email-Address/issues/19 but we hit this issue in production before discovering that, so it is quite relevant.
Here is a short script that illustrates the problem:
#!/usr/bin/perl
use 5.014;
use warnings;
use Email::Address;
use Time::HiRes qw(gettimeofday tv_interval);
my $num_pairs = 0;
while ($num_pairs++ < 30) {
my $candidate = '()' x $num_pairs;
my $start_time = [gettimeofday];
Email::Address->parse($candidate);
say "$num_pairs pairs: " . tv_interval($start_time);
}
With the version in Stretch, this script will suffer from exponential
runtime. Using the upstream version, the increase is linear.
Note: This also affects people using
Data::Validate::Email::is_email_rfc822() (this is how we hit it), since
this uses the faulty regular expression from Email::Address. There
should be no need to update Data::Validate::Email, though.
Regards,
Marc
-- System Information:
Debian Release: 9.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libemail-address-perl depends on:
ii perl 5.24.1-3+deb9u5
libemail-address-perl recommends no packages.
libemail-address-perl suggests no packages.
-- no debconf information
More information about the pkg-perl-maintainers
mailing list