[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 320-1] libemail-address-perl security update



Package        : libemail-address-perl
Version        : 1.889-2+deb6u2

Pali Rohár discovered [1] a possible DoS attack in any software which uses 
the Email::Address Perl module for parsing string input to a list of
email addresses.

By default Email::Address module, version v1.907 (and all before) tries to 
understand nestable comments in an input string with depth level 2.

With specially crafted inputs, parsing nestable comments can become too
slow and  can cause high CPU load, freeze the application and end in
Denial of Service.

Because input strings for Email::Address module come from external 
sources (e.g. from email sent by an attacker) it is a security problem
impacting on all software applications which parse email messages using
the Email::Address Perl module.

With this upload of libemail-address-perl, the default value of nestable
comments has been set to depth level 1 (as proposed by upstream). Please
note that this is not proper a fix, just a workaround for pathological
inputs with nestable comments.

[1] http://www.openwall.com/lists/oss-security/2015/09/27/1

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: signature.asc
Description: Digital signature


Reply to: