| Summary: | perl-Email-Address new security issue CVE-2014-0477 and CVE-2014-4720 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | jquelin, mageia, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/603967/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok | ||
| Source RPM: | perl-Email-Address-1.900.0-2.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-06-18 14:02:15 CEST
David Walser
2014-06-18 14:02:22 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO The package was updated to 1.905 in Cauldron, but still needs a fix backported. Debian has issued an advisory for this on June 27: https://www.debian.org/security/2014/dsa-2969 URL:
(none) =>
http://lwn.net/Vulnerabilities/603967/
David Walser
2014-07-09 00:51:01 CEST
CC:
(none) =>
mageia Apparently 1.904 also fixed a CVE-2014-4720: https://security-tracker.debian.org/tracker/CVE-2014-4720 Summary:
perl-Email-Address new security issue CVE-2014-0477 =>
perl-Email-Address new security issue CVE-2014-0477 and CVE-2014-4720 Updated to 1.905 in mga3 & mga4 (no new requires, so that's easier). Packages perl-Email-Address-1.905.0-1.mga3 and perl-Email-Address-1.905.0-1.mga4 available. Please test & push. Advisory ============================= The perl-Email-Address had some security issues due to a slow regular expression, that can lead to denial of services. The new package fixes the problem. ============================= thanks. Assignee:
jquelin =>
qa-bugs Advisory: ======================== Updated perl-Email-Address package fixes security vulnerability: The parse function in Email::Address module before 1.905 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quoted string in an RFC 2822 address (CVE-2014-0477). The Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via vectors related to "backtracking into the phrase" (CVE-2014-4720). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4720 https://www.debian.org/security/2014/dsa-2969 Testing complete mga4 64 Checking the patch is applied https://github.com/rjbs/Email-Address/commit/83f8306117115729ac9346523762c0c396251eb5 $ urpmf perl-Email-Address perl-Email-Address:/usr/lib/perl5/vendor_perl/5.18.1/Email perl-Email-Address:/usr/lib/perl5/vendor_perl/5.18.1/Email/Address.pm perl-Email-Address:/usr/share/doc/perl-Email-Address perl-Email-Address:/usr/share/doc/perl-Email-Address/Changes perl-Email-Address:/usr/share/doc/perl-Email-Address/LICENSE perl-Email-Address:/usr/share/doc/perl-Email-Address/META.json perl-Email-Address:/usr/share/doc/perl-Email-Address/META.yml perl-Email-Address:/usr/share/doc/perl-Email-Address/MYMETA.yml perl-Email-Address:/usr/share/doc/perl-Email-Address/README perl-Email-Address:/usr/share/man/man3/Email::Address.3pm.xz Before ------ $ grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/5.18.1/Email/Address.pm my $quoted_string = qr/$cfws*"$qcontent+"$cfws*/; After ----- $ grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/5.18.1/Email/Address.pm my $quoted_string = qr/$cfws*"$qcontent*"$cfws*/; Testing function.. From cpan http://search.cpan.org/~rjbs/Email-Address-1.905/lib/Email/Address.pm $ cat testcase.pl use Email::Address; my @addresses = Email::Address->parse($line); my $address = Email::Address->new(Casey => 'casey@localhost'); print $address->format . "\n"; $ perl testcase.pl "Casey" <casey@localhost> Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure mga4-64-ok Testing complete mga3 32 & 64 Different perl version in mga3 Before ------ # grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/*/Email/Address.pm my $quoted_string = qr/$cfws*"$qcontent+"$cfws*/; After ----- # grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/*/Email/Address.pm my $quoted_string = qr/$cfws*"$qcontent*"$cfws*/; $ perl testcase.pl "Casey" <casey@localhost> Whiteboard:
MGA3TOO has_procedure mga4-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok Testing complete mga4 32 Tested also with '' as email address. Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok Validating. Advisory from comment 4 uploaded. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0389.html Status:
NEW =>
RESOLVED LWN reference for CVE-2014-4720: http://lwn.net/Vulnerabilities/614412/ |