Bugzilla – Bug 948766
VUL-0: CVE-2015-7686: perl-Email-Address: DoS attack through Email-Address perl module related to nested comments
Last modified: 2019-12-30 19:19:56 UTC
via oss-sec: Standard usage of Email::Address module is to parse From/To/Cc headers from emails. And standard is also to use that module without setting $COMMENT_NEST_LEVEL variable... So because I was thinking about this standard usage in other applications I think that one CVE ID could be enough. Thanks for your additional notes. We have decided to choose the option of a single CVE, although this option is unattractive for some reasons. Use CVE-2015-7686 for the CWE-407 ("Algorithmic Complexity") issue in versions 1.908 and earlier. In other words, we consider 1.908 to be an affected version because there are realistic cases in which COMMENT_NEST_LEVEL must be 2 for usability reasons. There is no CVE ID corresponding to the behavior change between 1.907 and 1.908. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7686 http://seclists.org/oss-sec/2015/q4/22 openSUSE affected (by version). There is no upstream release newer than 1.908, nor a patch just now. Not in SLE.
bugbot adjusting priority
asked upstream for providing a fix ... https://github.com/Perl-Email-Project/Email-Address/issues/11
got an answer: I prepared new module Email-Address-XS without regexes which fixes this problem. See: https://github.com/pali/Email-Address-XS
probably a fix: https://github.com/dracos/Email-Address/commit/9066167ba421d59786b16308f3b43e58cce0d488 waiting for accepted PR and package update
(In reply to Christian Wittmer from comment #4) is accepted, please submit
fixed with use of Mail-Address-XS