Bug 26757 - perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issue
Summary: perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issue
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-09 22:11 CEST by David Walser
Modified: 2021-01-05 00:56 CET (History)
2 users (show)

See Also:
Source RPM: perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm, perl-Email-MIME-1.946.0-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-06-09 22:11:54 CEST
Fedora has issued an advisory on June 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWODHVD5ZKQBY2OYBTFPBETUOOJA33D/

The issue is fixed upstream in 1.24.
Comment 1 David Walser 2020-06-09 22:14:16 CEST
Comment 0 is for perl-Email-MIME-ContentType.

perl-Email-MIME is part of this too.

The issue is fixed in 1.949 there:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/

Summary: perl-Email-MIME-ContentType new DoS security issue => perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issue
Source RPM: perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm => perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm, perl-Email-MIME-1.946.0-3.mga7.src.rpm

Comment 2 Lewis Smith 2020-06-11 20:56:42 CEST
No evident maintainer, so assigning globally. CCing Shlomi as the registered person.

CC: (none) => shlomif
Assignee: bugsquad => pkg-bugs

David Walser 2020-12-28 18:35:42 CET

Status comment: (none) => Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType)

Comment 3 Bruno Cornec 2021-01-05 00:21:21 CET
Updated versions on their way to updates_testing for mga7

CC: (none) => bruno
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Comment 4 David Walser 2021-01-05 00:56:31 CET
Advisory:
========================

Updated perl-Email-MIME and perl-Email-MIME-ContentType packages fix security
vulnerability:

Messages with too many tiny nested MIME parts can lead to memory exhaustion on
split(), resulting in denial of service (rhbz#1835353).

This update limits the number of nested MIME parts to 10 (by default), to avoid
a possible memory exhaustion issue with lots of tiny MIME parts.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWODHVD5ZKQBY2OYBTFPBETUOOJA33D/
========================

Updated packages in core/updates_testing:
========================
perl-Email-MIME-1.949.0-3.1.mga7
perl-Email-MIME-ContentType-1.24.0-3.1.mga7

from SRPMS:
perl-Email-MIME-1.949.0-3.1.mga7.src.rpm
perl-Email-MIME-ContentType-1.24.0-3.1.mga7.src.rpm

Status comment: Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType) => (none)


Note You need to log in before you can comment on or make changes to this bug.