[SECURITY] [DLA 320-1] libemail-address-perl security update

2015-09-30T06:01:52
ID DEBIAN:DLA-320-1:E4670
Type debian
Reporter Debian
Modified 2015-09-30T06:01:52

Description

Package : libemail-address-perl Version : 1.889-2+deb6u2

Pali Rohár discovered [1] a possible DoS attack in any software which uses the Email::Address Perl module for parsing string input to a list of email addresses.

By default Email::Address module, version v1.907 (and all before) tries to understand nestable comments in an input string with depth level 2.

With specially crafted inputs, parsing nestable comments can become too slow and can cause high CPU load, freeze the application and end in Denial of Service.

Because input strings for Email::Address module come from external sources (e.g. from email sent by an attacker) it is a security problem impacting on all software applications which parse email messages using the Email::Address Perl module.

With this upload of libemail-address-perl, the default value of nestable comments has been set to depth level 1 (as proposed by upstream). Please note that this is not proper a fix, just a workaround for pathological inputs with nestable comments.

[1] http://www.openwall.com/lists/oss-security/2015/09/27/1

--

mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net

Attachment: signature.asc Description: Digital signature