Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-320-1 libemail-address-perl

Debian Security Advisory

DLA-320-1 libemail-address-perl -- LTS security update

Date Reported:

30 Sep 2015

Affected Packages:

libemail-address-perl

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

Pali Rohár discovered a possible DoS attack in any software which uses the Email::Address Perl module for parsing string input to a list of email addresses.

By default Email::Address module, version v1.907 (and all before) tries to understand nestable comments in an input string with depth level 2.

With specially crafted inputs, parsing nestable comments can become too slow and can cause high CPU load, freeze the application and end in Denial of Service.

Because input strings for Email::Address module come from external sources (e.g. from email sent by an attacker) it is a security problem impacting on all software applications which parse email messages using the Email::Address Perl module.

With this upload of libemail-address-perl, the default value of nestable comments has been set to depth level 1 (as proposed by upstream). Please note that this is not proper a fix, just a workaround for pathological inputs with nestable comments.