Bug 26757 - perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issue
Summary: perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issue
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-06-09 22:11 CEST by David Walser
Modified: 2021-02-10 19:43 CET (History)
5 users (show)

See Also:
Source RPM: perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm, perl-Email-MIME-1.946.0-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-06-09 22:11:54 CEST
Fedora has issued an advisory on June 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWODHVD5ZKQBY2OYBTFPBETUOOJA33D/

The issue is fixed upstream in 1.24.
Comment 1 David Walser 2020-06-09 22:14:16 CEST
Comment 0 is for perl-Email-MIME-ContentType.

perl-Email-MIME is part of this too.

The issue is fixed in 1.949 there:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/

Summary: perl-Email-MIME-ContentType new DoS security issue => perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issue
Source RPM: perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm => perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm, perl-Email-MIME-1.946.0-3.mga7.src.rpm

Comment 2 Lewis Smith 2020-06-11 20:56:42 CEST
No evident maintainer, so assigning globally. CCing Shlomi as the registered person.

Assignee: bugsquad => pkg-bugs
CC: (none) => shlomif

David Walser 2020-12-28 18:35:42 CET

Status comment: (none) => Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType)

Comment 3 Bruno Cornec 2021-01-05 00:21:21 CET
Updated versions on their way to updates_testing for mga7

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => bruno

Comment 4 David Walser 2021-01-05 00:56:31 CET
Advisory:
========================

Updated perl-Email-MIME and perl-Email-MIME-ContentType packages fix security
vulnerability:

Messages with too many tiny nested MIME parts can lead to memory exhaustion on
split(), resulting in denial of service (rhbz#1835353).

This update limits the number of nested MIME parts to 10 (by default), to avoid
a possible memory exhaustion issue with lots of tiny MIME parts.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWODHVD5ZKQBY2OYBTFPBETUOOJA33D/
========================

Updated packages in core/updates_testing:
========================
perl-Email-MIME-1.949.0-3.1.mga7
perl-Email-MIME-ContentType-1.24.0-3.1.mga7

from SRPMS:
perl-Email-MIME-1.949.0-3.1.mga7.src.rpm
perl-Email-MIME-ContentType-1.24.0-3.1.mga7.src.rpm

Status comment: Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType) => (none)

Comment 5 Thomas Andrews 2021-02-09 18:09:59 CET
Looked back for a previous bug on these packages, found nothing. 

"urpmq --whatrequires" shows Bugzilla is about the only app that uses the packages. Testing Bugzilla in a way to be sure that these particular packages would be used is far beyond my capabilities, so I'm opting for a clean install.

Installed perl-Email-MIME and its dependencies, which included perl-Email-MIME-ContentType. No installation issues.

Used QA Repo to get the two packages to be updated, then proceeded to Mageia Update, to see this:

The following 3 packages are going to be installed:

- perl-Email-MIME-1.949.0-3.1.mga7.noarch
- perl-Email-MIME-ContentType-1.24.0-3.1.mga7.noarch
- perl-Text-Unidecode-1.300.0-3.mga7.noarch

Assuming the third package is a new dependency, I installed all three. Again, no installation issues.

I'm going to OK this, and validate. If this is not good enough, please feel free to hold it back.

Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update

Comment 6 Aurelien Oudelet 2021-02-10 16:22:44 CET
Advisory commited to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-02-10 19:43:03 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0078.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.