Bug 13541 - perl-Email-Address new security issue CVE-2014-0477 and CVE-2014-4720
Summary: perl-Email-Address new security issue CVE-2014-0477 and CVE-2014-4720
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/603967/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-06-18 14:02 CEST by David Walser
Modified: 2014-10-01 21:42 CEST (History)
3 users (show)

See Also:
Source RPM: perl-Email-Address-1.900.0-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-06-18 14:02:15 CEST
A denial of service issue in Email::Address was announced today (June 18):
http://openwall.com/lists/oss-security/2014/06/18/2

This is due to slowness of parsing some strings in the parse function, including the empty string.  The issues were fixed upstream in 1.905.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-18 14:02:22 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-06-30 23:33:36 CEST
The package was updated to 1.905 in Cauldron, but still needs a fix backported.

Debian has issued an advisory for this on June 27:
https://www.debian.org/security/2014/dsa-2969

URL: (none) => http://lwn.net/Vulnerabilities/603967/
Source RPM: perl-Email-Address-1.903.0-1.mga5.src.rpm => perl-Email-Address-1.900.0-2.mga4.src.rpm
Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

David Walser 2014-07-09 00:51:01 CEST

CC: (none) => mageia

Comment 2 David Walser 2014-09-03 00:23:02 CEST
Apparently 1.904 also fixed a CVE-2014-4720:
https://security-tracker.debian.org/tracker/CVE-2014-4720

Summary: perl-Email-Address new security issue CVE-2014-0477 => perl-Email-Address new security issue CVE-2014-0477 and CVE-2014-4720

Comment 3 Jerome Quelin 2014-09-26 09:58:56 CEST
Updated to 1.905 in mga3 & mga4 (no new requires, so that's easier).
Packages perl-Email-Address-1.905.0-1.mga3 and perl-Email-Address-1.905.0-1.mga4 available.

Please test & push.

Advisory
=============================
The perl-Email-Address had some security issues due to a slow regular expression, that can lead to denial of services.
The new package fixes the problem.
=============================

thanks.

Assignee: jquelin => qa-bugs
CC: (none) => jquelin

Comment 4 David Walser 2014-09-26 14:38:22 CEST
Advisory:
========================

Updated perl-Email-Address package fixes security vulnerability:

The parse function in Email::Address module before 1.905 for Perl uses an
inefficient regular expression, which allows remote attackers to cause a
denial of service (CPU consumption) via an empty quoted string in an RFC 2822
address (CVE-2014-0477).

The Email::Address module before 1.904 for Perl uses an inefficient regular
expression, which allows remote attackers to cause a denial of service (CPU
consumption) via vectors related to "backtracking into the phrase"
(CVE-2014-4720).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4720
https://www.debian.org/security/2014/dsa-2969
Comment 5 claire robinson 2014-09-26 16:31:28 CEST
Testing complete mga4 64

Checking the patch is applied

https://github.com/rjbs/Email-Address/commit/83f8306117115729ac9346523762c0c396251eb5

$ urpmf perl-Email-Address
perl-Email-Address:/usr/lib/perl5/vendor_perl/5.18.1/Email
perl-Email-Address:/usr/lib/perl5/vendor_perl/5.18.1/Email/Address.pm
perl-Email-Address:/usr/share/doc/perl-Email-Address
perl-Email-Address:/usr/share/doc/perl-Email-Address/Changes
perl-Email-Address:/usr/share/doc/perl-Email-Address/LICENSE
perl-Email-Address:/usr/share/doc/perl-Email-Address/META.json
perl-Email-Address:/usr/share/doc/perl-Email-Address/META.yml
perl-Email-Address:/usr/share/doc/perl-Email-Address/MYMETA.yml
perl-Email-Address:/usr/share/doc/perl-Email-Address/README
perl-Email-Address:/usr/share/man/man3/Email::Address.3pm.xz

Before
------
$ grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/5.18.1/Email/Address.pm
my $quoted_string  = qr/$cfws*"$qcontent+"$cfws*/;


After
-----
$  grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/5.18.1/Email/Address.pm
my $quoted_string  = qr/$cfws*"$qcontent*"$cfws*/;


Testing function..

From cpan
http://search.cpan.org/~rjbs/Email-Address-1.905/lib/Email/Address.pm

$ cat testcase.pl 
  use Email::Address;

  my @addresses = Email::Address->parse($line);
  my $address   = Email::Address->new(Casey => 'casey@localhost');

  print $address->format . "\n";

$ perl testcase.pl 
"Casey" <casey@localhost>

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 6 claire robinson 2014-09-26 16:53:19 CEST
Testing complete mga3 32 & 64

Different perl version in mga3 

Before
------
# grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/*/Email/Address.pm
my $quoted_string  = qr/$cfws*"$qcontent+"$cfws*/;

After
-----
# grep 'my $quoted_string' /usr/lib/perl5/vendor_perl/*/Email/Address.pm
my $quoted_string  = qr/$cfws*"$qcontent*"$cfws*/;

$ perl testcase.pl 
"Casey" <casey@localhost>

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 7 claire robinson 2014-09-26 16:58:12 CEST
Testing complete mga4 32

Tested also with '' as email address.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 8 claire robinson 2014-09-26 17:37:55 CEST
Validating. Advisory from comment 4 uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2014-09-26 17:55:27 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0389.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2014-10-01 21:42:09 CEST
LWN reference for CVE-2014-4720:
http://lwn.net/Vulnerabilities/614412/

Note You need to log in before you can comment on or make changes to this bug.