Bug#960062: marked as done (libemail-mime-perl: CVE-2024-4140: DoS on excessive or deeply nested parts)

[Debian Bug Tracking System]

Your message dated Fri, 03 May 2024 19:50:25 +0000
with message-id <e1s2yvj-008jbf...@fasolo.debian.org>
and subject line Bug#960062: fixed in libemail-mime-perl 1.954-1
has caused the Debian Bug report #960062,
regarding libemail-mime-perl: CVE-2024-4140: DoS on excessive or deeply nested 
parts
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
960062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960062
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libemail-mime-perl
Version: 1.946-1
Severity: important
Tags: upstream

Messages with too many tiny MIME parts can OOM on split().

Messages with many nested MIME parts can also fail on deep
recursion (Email::MIME->new calls ->subparts, ->subparts calls
->new, ad infinitum).

Smallish messages can generate these, since the a boundary
only needs to be 4 bytes "--a\n" and the header+body of
each part can just be 4 bytes "x:y\n\n", too.

Perl takes 42 bytes to represent a 4 byte string on 64-bit:

        use Devel::Size; say Devel::Size::total_size("--\n\n")

This affects many other MIME parsers, too.

--- End Message ---

--- Begin Message ---

Source: libemail-mime-perl
Source-Version: 1.954-1
Done: Salvatore Bonaccorso <car...@debian.org>

We believe that the bug you reported is fixed in the latest version of
libemail-mime-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 960...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated 
libemail-mime-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 May 2024 21:32:44 +0200
Source: libemail-mime-perl
Architecture: source
Version: 1.954-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 960062
Changes:
 libemail-mime-perl (1.954-1) unstable; urgency=medium
 .
   * Team upload.
   * Import upstream version 1.954.
     + Fix excessive memory use issue, which can cause denial of service when
       parsing multipart MIME messages (CVE-2024-4140) (Closes: #960062)
   * Declare compliance with Debian policy 4.7.0
Checksums-Sha1: 
 fe428ec568c33f2c6689493aa15655edd7185182 2651 libemail-mime-perl_1.954-1.dsc
 3e23091dca1e3b6b2ccc0aad0a86f0730839755d 125093 
libemail-mime-perl_1.954.orig.tar.gz
 cebe0536989faac7d01feb2c42dc0cb80e0049d2 4876 
libemail-mime-perl_1.954-1.debian.tar.xz
Checksums-Sha256: 
 5033437816d0b36fa04e44ef949bad00ebdb809d18292cf6e92e0bf181d52cd8 2651 
libemail-mime-perl_1.954-1.dsc
 6dd69b01435b645aecc5354d9854a70cb87641eb446a525e7ab241cefa3cc4d3 125093 
libemail-mime-perl_1.954.orig.tar.gz
 bef762e35a49a08103dc2593ae3814aef643e16d809cafa85fb6c00b2d9f5e06 4876 
libemail-mime-perl_1.954-1.debian.tar.xz
Files: 
 1f3434cf6d3a3aa023dd4085d8eac663 2651 perl optional 
libemail-mime-perl_1.954-1.dsc
 15c1613ccc156e52750ca23964a23bc5 125093 perl optional 
libemail-mime-perl_1.954.orig.tar.gz
 6941860fe0c53400f0760aca72be1bcb 4876 perl optional 
libemail-mime-perl_1.954-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY1PTBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ELdwP/Ausne7cq2zwyj7ox1X7EtwUAlFh/iFa
ROhHLHUzF998nr+QTm0AgGSCs/NRg/GQUtE5ZkLY36zemViQb5bPo1r/+tO6eLFn
vrUYSOYN20FSJe/H1np8yej/9hebyJl/+OeMYiUsbieLYhR/JSbjdXcWnEptVgL4
vgRCB4zRON8qRSgjJHJg/SaKFIj5tqBySLPHbRKFISuw3YgA+V0K4lE2HNoTMv7K
fLiNKjUYpkakQeEAG8jV/3o/Npyb9ejdV42ggJZ2gbjNuwmay8d4J9qg92Hf1XPq
a+D0SrmNVXC7QC9OcYNWPDZ99q9ahCP54yr2+ZjFcfG7RVAJvjwqWzZ9N4toAQuF
zxdUFLYJZDEeLQfZcPn8s3EK0JkiKGEosbmxNjPlwbLEmbnZUIPeCYK+r6EAcYOs
BmVZe8/PYqICXtstUsDwinjEFN46Nqu/DNUke2U4HTIeB4SVlUsiKIJoL+q+ljcc
gELbC/4WUhxe5YRm0zbqTZGGx3tTeTSDZkIZnOGHeV4PvN2gc2vrlqgxxsXKahbQ
EDVVSyWSwIPDvTMBXpGB6FRPei0R2DPcVJwBjngNME0FkRDwQ4BcknAufszTB/2M
mx1fDN5+SASTb1AdSX8X0quvnXHWDlAs/i6XL9/Fn+XgU3240kcU14JLh7L6I9uC
wXrfCAG/lfMm
=iYYa
-----END PGP SIGNATURE-----

pgp_cAKkuPs7Y.pgp
Description: PGP signature

--- End Message ---