Package: libemail-address-perl Version: 1.908-1 Severity: grave Hi! Perl Email::Address module has CVE-2015-7686 defect, which means that for specially prepared input, parse() method can take exponential time for processing input buffer. Primary use of Email::Address was to parse From/To/Cc email headers, which means that attacker could DOS server application which uses this module for parsing emails.
Since 2015 there was no new release of Email::Address module and meanwhile I created new module named: Email::Address::XS https://metacpan.org/pod/Email::Address::XS It has backward compatible API, but uses completely different way how to parse input. It is written in C, instead of perl regexps and uses parts of dovecot parses which was already widely tested. Fixing current Email::Address is very hard if we want to aim two things: 1) RFC-correctness 2) polynomial time complexity in worst case This is reason why I chose to write Email::Address::XS from scratch instead of hacking Email::Address. Due to fact that there is no new version of Email::Address for 2 years which could address CVE-2015-7686 defect, I would suggest to drop libemail-address-perl package from Debian completely. That is probably not easy as more packages depends on libemail-address- perl (Email::Address module). But because Email::Address::XS has backward compatible API, it can be used as drop-in-replacement for Email::Address. Something like sed 's/Email::Address/Email::Address::XS/g' on sources of 3rd applications/modules should be enough. And if not, I can help with porting existing perl applications in Debian which uses Email::Address, to be compatible with Email::Address::XS. -- Pali Rohár pali.ro...@gmail.com
signature.asc
Description: This is a digitally signed message part.
