Bug 33248 - perl-Email-MIME new security issue CVE-2024-4140
Summary: perl-Email-MIME new security issue CVE-2024-4140
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-05-28 08:53 CEST by Nicolas Salguero
Modified: 2024-05-29 20:10 CEST (History)
2 users (show)

See Also:
Source RPM: perl-Email-MIME-1.953.0-1.mga9.src.rpm
CVE: CVE-2024-4140
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-05-28 08:53:56 CEST 
Fedora has issued an advisory on May 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFD5BWGYAVLW6IO4SUNLTJCFFLHZYQGT/

The problem is fixed in version 1.954.
Nicolas Salguero 2024-05-28 08:54:17 CEST

Source RPM: (none) => perl-Email-MIME-1.953.0-1.mga9.src.rpm
CVE: (none) => CVE-2024-4140
Status comment: (none) => Fixed upstream in 1.954

Comment 1 Nicolas Salguero 2024-05-28 15:43:58 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

An excessive memory use issue (CWE-770) exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set (from 2020 and 2024) limits excessive depth and the total number of parts. (CVE-2024-4140)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFD5BWGYAVLW6IO4SUNLTJCFFLHZYQGT/
========================

Updated package in core/updates_testing:
========================
perl-Email-MIME-1.954.0-1.mga9

from SRPM:
perl-Email-MIME-1.954.0-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 1.954 => (none)
Status: NEW => ASSIGNED

katnatek 2024-05-28 20:03:17 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-05-29 03:58:19 CEST 
LC_ALL=C urpmi  perl-Email-MIME
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  perl-Email-Address             1.913.0      1.mga9        noarch  
  perl-Email-MIME                1.953.0      1.mga9        noarch  
  perl-Email-MIME-ContentType    1.28.0       1.mga9        noarch  
  perl-Email-MIME-Encodings      1.317.0      1.mga9        noarch  
  perl-Email-MessageID           1.408.0      1.mga9        noarch  
  perl-Text-Unidecode            1.300.0      5.mga9        noarch  
939KB of additional disk space will be used.
297KB of packages will be retrieved.
Proceed with the installation of the 6 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-Address-1.913.0-1.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Text-Unidecode-1.300.0-5.mga9.noarch.rpm  
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-MIME-1.953.0-1.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-MIME-ContentType-1.28.0-1.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-MessageID-1.408.0-1.mga9.noarch.rpm 
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-MIME-Encodings-1.317.0-1.mga9.noarch.rpm
installing perl-Email-Address-1.913.0-1.mga9.noarch.rpm perl-Text-Unidecode-1.300.0-5.mga9.noarch.rpm perl-Email-MIME-1.953.0-1.mga9.noarch.rpm perl-Email-MessageID-1.408.0-1.mga9.noarch.rpm perl-Email-MIME-ContentType-1.28.0-1.mga9.noarch.rpm perl-Email-MIME-Encodings-1.317.0-1.mga9.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     ##################################################################################################
      1/6: perl-Email-MIME-Encodings
                                 ##################################################################################################
      2/6: perl-Text-Unidecode   ##################################################################################################
      3/6: perl-Email-MIME-ContentType
                                 ##################################################################################################
      4/6: perl-Email-Address    ##################################################################################################
      5/6: perl-Email-MessageID  ##################################################################################################
      6/6: perl-Email-MIME       ##################################################################################################

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing perl-Email-MIME-1.954.0-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: perl-Email-MIME       ##################################################################################################
      1/1: removing perl-Email-MIME-1.953.0-1.mga9.noarch
                                 ##################################################################################################


Give OK in base clean update https://bugs.mageia.org/show_bug.cgi?id=26757

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 3 Thomas Andrews 2024-05-29 16:10:52 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2024-05-29 20:10:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0198.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.