Bug 883225 - (CVE-2014-0477) VUL-0: CVE-2014-0477: perl-Email-Address: Denial-of-Service in Email::Address::parse
(CVE-2014-0477)
VUL-0: CVE-2014-0477: perl-Email-Address: Denial-of-Service in Email::Address...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Normal
: ---
Assigned To: Thomas Abraham
Security Team bot
https://smash.suse.de/issue/99721/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-18 14:58 UTC by Johannes Segitz
Modified: 2015-02-19 02:16 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-06-18 14:58:58 UTC
Via OSS-sec

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 18 Jun 2014 07:19:15 +0200

Bastian Blank reported a denial of service vulnerability in
Email::Address, a Perl module for RFC 2822 address parsing and
creation[1]. Email::Address::parse uses significant time on parsing
empty quoted string, as allowed by RFC 2822.

==========

Fixed in upstream version 1.905 which contain additional commits to avoid slowdowns.

References:
http://seclists.org/oss-sec/2014/q2/563
https://bugzilla.redhat.com/show_bug.cgi?id=1110723
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0477
Comment 1 Swamp Workflow Management 2014-06-18 22:00:19 UTC
bugbot adjusting priority
Comment 2 James Oakley 2014-06-20 03:19:01 UTC
I haven't touched this package (or Perl) in 7 years. I'm probably not the right person to assign this to.
Comment 3 Johannes Segitz 2014-06-20 12:54:42 UTC
Daniel, you're one of the bugowners, can you please take this one?
Comment 5 Johannes Segitz 2014-06-23 09:12:34 UTC
Next try. Can you please take care of this issue?
Comment 6 Thomas Abraham 2014-10-07 14:09:22 UTC
I know it's late, but I only recently realized that this was assigned to me.

I submitted mr 254516
Comment 7 Benjamin Brunner 2014-10-07 14:20:57 UTC
I changed needinfo to security-team@suse.de, after this is an security-issue.

Thanks Thomas.
Comment 8 Bernhard Wiedemann 2014-10-07 15:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (883225) was mentioned in
https://build.opensuse.org/request/show/254516 13.2+13.1+12.3 / perl-Email-Address+perl-Email-Address.openSUSE_13.2
Comment 11 Swamp Workflow Management 2014-10-28 15:05:08 UTC
openSUSE-SU-2014:1328-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 883225
CVE References: CVE-2014-0477
Sources used:
openSUSE 13.1 (src):    perl-Email-Address-1.899-2.4.1
openSUSE 12.3 (src):    perl-Email-Address-1.892-11.4.1