A denial of service issue in Email::Address was announced today (June 18): http://openwall.com/lists/oss-security/2014/06/18/2 This is due to slowness of parsing some strings in the parse function, including the empty string. The issues were fixed upstream in 1.905. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
The package was updated to 1.905 in Cauldron, but still needs a fix backported. Debian has issued an advisory for this on June 27: https://www.debian.org/security/2014/dsa-2969
URL: (none) => http://lwn.net/Vulnerabilities/603967/Source RPM: perl-Email-Address-1.903.0-1.mga5.src.rpm => perl-Email-Address-1.900.0-2.mga4.src.rpmVersion: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
CC: (none) => mageia
Apparently 1.904 also fixed a CVE-2014-4720: https://security-tracker.debian.org/tracker/CVE-2014-4720
Summary: perl-Email-Address new security issue CVE-2014-0477 => perl-Email-Address new security issue CVE-2014-0477 and CVE-2014-4720
Updated to 1.905 in mga3 & mga4 (no new requires, so that's easier). Packages perl-Email-Address-1.905.0-1.mga3 and perl-Email-Address-1.905.0-1.mga4 available. Please test & push. Advisory ============================= The perl-Email-Address had some security issues due to a slow regular expression, that can lead to denial of services. The new package fixes the problem. ============================= thanks.
Assignee: jquelin => qa-bugsCC: (none) => jquelin
Advisory: ======================== Updated perl-Email-Address package fixes security vulnerability: The parse function in Email::Address module before 1.905 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quoted string in an RFC 2822 address (CVE-2014-0477). The Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via vectors related to "backtracking into the phrase" (CVE-2014-4720). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4720 https://www.debian.org/security/2014/dsa-2969
Testing complete mga4 64 Checking the patch is applied https://github.com/rjbs/Email-Address/commit/83f8306117115729ac9346523762c0c396251eb5 $ urpmf perl-Email-Address perl-Email-Address:/usr/lib/perl5/vendor_perl/5.18.1/Email perl-Email-Address:/usr/lib/perl5/vendor_perl/5.18.1/Email/Address.pm perl-Email-Address:/usr/share/doc/perl-Email-Address perl-Email-Address:/usr/share/doc/perl-Email-Address/Changes perl-Email-Address:/usr/share/doc/perl-Email-Address/LICENSE perl-Email-Address:/usr/share/doc/perl-Email-Address/META.json perl-Email-Address:/usr/share/doc/perl-Email-Address/META.yml perl-Email-Address:/usr/share/doc/perl-Email-Address/MYMETA.yml perl-Email-Address:/usr/share/doc/perl-Email-Address/README perl-Email-Address:/usr/share/man/man3/Email::Address.3pm.xz Before ------ $ grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/5.18.1/Email/Address.pm my $quoted_string = qr/$cfws*"$qcontent+"$cfws*/; After ----- $ grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/5.18.1/Email/Address.pm my $quoted_string = qr/$cfws*"$qcontent*"$cfws*/; Testing function.. From cpan http://search.cpan.org/~rjbs/Email-Address-1.905/lib/Email/Address.pm $ cat testcase.pl use Email::Address; my @addresses = Email::Address->parse($line); my $address = Email::Address->new(Casey => 'casey@localhost'); print $address->format . "\n"; $ perl testcase.pl "Casey" <casey@localhost>
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga3 32 & 64 Different perl version in mga3 Before ------ # grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/*/Email/Address.pm my $quoted_string = qr/$cfws*"$qcontent+"$cfws*/; After ----- # grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/*/Email/Address.pm my $quoted_string = qr/$cfws*"$qcontent*"$cfws*/; $ perl testcase.pl "Casey" <casey@localhost>
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32 Tested also with '' as email address.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory from comment 4 uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0389.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2014-4720: http://lwn.net/Vulnerabilities/614412/