Bug 23208

Summary: perl-Email-Address new security issue CVE-2018-12558
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bruno, lewyssmith, marja11, shlomif, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: perl-Email-Address-1.908.0-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-06-20 13:26:42 CEST 
A security issue in the Email::Address perl module has been announced:
http://openwall.com/lists/oss-security/2018/06/19/3

There may not be a fix available yet.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-20 13:26:49 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-06-20 20:22:24 CEST 
Assigning to the Perl stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => perl
CC: (none) => marja11, shlomif

Comment 3 Bruno Cornec 2018-10-11 00:51:07 CEST 
On CPAN the module is marked as deprecated. The problem is that it's used by bugzilla (and a bunch of other perl modules)

The page says:
"ACHTUNG! This module has a vulnerability (CVE-2015-7686) which allows remote attackers to cause denial of service. In other words, sometimes it takes way too long to process certain kinds of input. Maybe someday this will be fixed. Until then, use Email::Address::XS instead which has backward compatible API."

Should we try to fix this or use the other module or ... ?
Comment 4 David Walser 2018-10-12 00:55:10 CEST 
Interesting.  Would we have to patch the "use" lines in everything that requires it to add the ::XS on the end?  I guess then perl-Email-Address-XS would obsolete it (it'd have to be packaged first).
Comment 5 Bruno Cornec 2018-10-13 00:46:40 CEST 
(In reply to David Walser from comment #4)
> Interesting.  Would we have to patch the "use" lines in everything that
> requires it to add the ::XS on the end?  

Indeed probably.

> I guess then perl-Email-Address-XS
> would obsolete it (it'd have to be packaged first).

Or we can add that in the spec file.
We could try to make that change on a perl module having a test suite and see whether this is a way forward or not.

I wonder how the bugzilla project is managing that ...
Comment 6 David Walser 2019-01-19 17:56:13 CET 
Fedora has issued an advisory for this on January 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KBO66KNCLV5H73UNWXAZ6VHSLBB6ZIAW/

The issue is fixed upstream in 1.912 (already in Cauldron).

Source RPM: perl-Email-Address-1.909.0-1.mga7.src.rpm => perl-Email-Address-1.908.0-3.mga6.src.rpm
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 7 David Walser 2019-01-19 21:32:04 CET 
perl-Email-Address-1.912.0-1.mga6 uploaded by Shlomi.  Advisory to come later.

Assignee: perl => qa-bugs

Comment 8 David Walser 2019-01-20 02:25:42 CET 
Advisory:
========================

Updated perl-Email-Address package fixes security vulnerability:

The parse() method in the Email::Address module through 1.912 for Perl can
consume a large amount of resources on specially prepared input, leading to
Denial of Service. Prepared special input that caused this problem contained 30
form-field characters ("\f") (CVE-2018-12558).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12558
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KBO66KNCLV5H73UNWXAZ6VHSLBB6ZIAW/
========================

Updated packages in core/updates_testing:
========================
perl-Email-Address-1.912.0-1.mga6

from perl-Email-Address-1.912.0-1.mga6.src.rpm
Comment 9 Lewis Smith 2019-01-22 21:47:56 CET 
Testing M6/64
The standard quickie test (again thanks to Claire) is at the end of:
 https://bugs.mageia.org/show_bug.cgi?id=13541#c5 reproduced below.
(The previous 'grep' is *not* a test, just a check on a source change).
-----------------
$ cat testcase.pl 
use Email::Address;
  my @addresses = Email::Address->parse($line);
  my $address   = Email::Address->new(Casey => 'casey@localhost');
  print $address->format . "\n";

$ perl testcase.pl
"Casey" <casey@localhost>
-------------------------
The CVE points to a useful quick test for this fault:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901873
"Root of this problem is that parsing of email addresses in Email::Address module is done by regular expressions, which in perl can be exponential. The trivial input is 30 form-fields characters. You can test it with following oneliner:"
 $ perl -MEmail::Address -E 'Email::Address->parse("\f" x 30)'

BEFORE update: perl-Email-Address-1.908.0-3.mga6
The special given test hogged a processor for a very long time, I eventually killed it.

AFTER update: perl-Email-Address-1.912.0-1.mga6
The given one-liner above now terminated instantly. GOOD.
And the standard quickie worked. The update is good, validating it.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 10 Mageia Robot 2019-01-23 16:51:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0046.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED