Fedora has issued an advisory on June 3: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWODHVD5ZKQBY2OYBTFPBETUOOJA33D/ The issue is fixed upstream in 1.24.
Comment 0 is for perl-Email-MIME-ContentType. perl-Email-MIME is part of this too. The issue is fixed in 1.949 there: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/
Summary: perl-Email-MIME-ContentType new DoS security issue => perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issueSource RPM: perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm => perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm, perl-Email-MIME-1.946.0-3.mga7.src.rpm
No evident maintainer, so assigning globally. CCing Shlomi as the registered person.
Assignee: bugsquad => pkg-bugsCC: (none) => shlomif
Status comment: (none) => Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType)
Updated versions on their way to updates_testing for mga7
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCC: (none) => bruno
Advisory: ======================== Updated perl-Email-MIME and perl-Email-MIME-ContentType packages fix security vulnerability: Messages with too many tiny nested MIME parts can lead to memory exhaustion on split(), resulting in denial of service (rhbz#1835353). This update limits the number of nested MIME parts to 10 (by default), to avoid a possible memory exhaustion issue with lots of tiny MIME parts. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWODHVD5ZKQBY2OYBTFPBETUOOJA33D/ ======================== Updated packages in core/updates_testing: ======================== perl-Email-MIME-1.949.0-3.1.mga7 perl-Email-MIME-ContentType-1.24.0-3.1.mga7 from SRPMS: perl-Email-MIME-1.949.0-3.1.mga7.src.rpm perl-Email-MIME-ContentType-1.24.0-3.1.mga7.src.rpm
Status comment: Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType) => (none)
Looked back for a previous bug on these packages, found nothing. "urpmq --whatrequires" shows Bugzilla is about the only app that uses the packages. Testing Bugzilla in a way to be sure that these particular packages would be used is far beyond my capabilities, so I'm opting for a clean install. Installed perl-Email-MIME and its dependencies, which included perl-Email-MIME-ContentType. No installation issues. Used QA Repo to get the two packages to be updated, then proceeded to Mageia Update, to see this: The following 3 packages are going to be installed: - perl-Email-MIME-1.949.0-3.1.mga7.noarch - perl-Email-MIME-ContentType-1.24.0-3.1.mga7.noarch - perl-Text-Unidecode-1.300.0-3.mga7.noarch Assuming the third package is a new dependency, I installed all three. Again, no installation issues. I'm going to OK this, and validate. If this is not good enough, please feel free to hold it back. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_update
Advisory commited to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0078.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED