Control: severity -1 important Hi Pali
On Wed, Jul 12, 2017 at 06:51:06PM +0200, Pali Rohár wrote: > Package: libemail-address-perl > Version: 1.908-1 > Severity: grave > > Hi! Perl Email::Address module has CVE-2015-7686 defect, which means > that for specially prepared input, parse() method can take exponential > time for processing input buffer. Primary use of Email::Address was to > parse From/To/Cc email headers, which means that attacker could DOS > server application which uses this module for parsing emails. > > Since 2015 there was no new release of Email::Address module and > meanwhile I created new module named: Email::Address::XS > > https://metacpan.org/pod/Email::Address::XS > > It has backward compatible API, but uses completely different way how to > parse input. It is written in C, instead of perl regexps and uses parts > of dovecot parses which was already widely tested. > > Fixing current Email::Address is very hard if we want to aim two things: > 1) RFC-correctness 2) polynomial time complexity in worst case > > This is reason why I chose to write Email::Address::XS from scratch > instead of hacking Email::Address. > > Due to fact that there is no new version of Email::Address for 2 years > which could address CVE-2015-7686 defect, I would suggest to drop > libemail-address-perl package from Debian completely. > > That is probably not easy as more packages depends on libemail-address- > perl (Email::Address module). But because Email::Address::XS has > backward compatible API, it can be used as drop-in-replacement for > Email::Address. > > Something like sed 's/Email::Address/Email::Address::XS/g' on sources of > 3rd applications/modules should be enough. > > And if not, I can help with porting existing perl applications in Debian > which uses Email::Address, to be compatible with Email::Address::XS. Thanks. Yes CVE-2015-7686 is longstanding affecting Email::Address. This IMHO is no reason to mark it as severity grave. Rather IMHO the following should be done: 1/ lower the severity to non-RC. 2/ package Email::Address::XS for Debian 3/ For every package in Debian (build-)depending on libemail-address-perl fill a wishlist bug to have the package "ported" (done preferably first upstream) on the new module. Later on when given enough time to maintainers those might be raised to important. 4/ Choose an usertag for user debian-p...@lists.debian.org to track the issues and tag them. 5/ once all applications have switched to libemail-address-xs-perl, fill a removal bug for libemail-address-perl. Hope this helps so far, and is complete, Regards, Salvatore
