Bug 948766 - (CVE-2015-7686) VUL-0: CVE-2015-7686: perl-Email-Address: DoS attack through Email-Address perl module related to nested comments
(CVE-2015-7686)
VUL-0: CVE-2015-7686: perl-Email-Address: DoS attack through Email-Address pe...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P3 - Medium : Normal
: ---
Assigned To: Christian Wittmer
Security Team bot
https://smash.suse.de/issue/157283/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-05 08:57 UTC by Andreas Stieger
Modified: 2019-12-30 19:19 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-05 08:57:04 UTC
via oss-sec:

    Standard usage of Email::Address module is to parse From/To/Cc headers
    from emails. And standard is also to use that module without setting
    $COMMENT_NEST_LEVEL variable... So because I was thinking about this
    standard usage in other applications I think that one CVE ID could be
    enough.


Thanks for your additional notes. We have decided to choose the option
of a single CVE, although this option is unattractive for some
reasons. Use CVE-2015-7686 for the CWE-407 ("Algorithmic Complexity")
issue in versions 1.908 and earlier. In other words, we consider 1.908
to be an affected version because there are realistic cases in which
COMMENT_NEST_LEVEL must be 2 for usability reasons. There is no CVE ID
corresponding to the behavior change between 1.907 and 1.908.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7686
http://seclists.org/oss-sec/2015/q4/22



openSUSE affected (by version). There is no upstream release newer than 1.908, nor a patch just now.

Not in SLE.
Comment 1 Swamp Workflow Management 2015-10-05 22:00:05 UTC
bugbot adjusting priority
Comment 2 Christian Wittmer 2016-01-08 21:56:12 UTC
asked upstream for providing a fix ...
https://github.com/Perl-Email-Project/Email-Address/issues/11
Comment 3 Christian Wittmer 2016-06-28 16:28:36 UTC
got an answer:

I prepared new module Email-Address-XS without regexes which fixes this problem. See: https://github.com/pali/Email-Address-XS
Comment 4 Christian Wittmer 2016-06-28 16:38:05 UTC
probably a fix:

https://github.com/dracos/Email-Address/commit/9066167ba421d59786b16308f3b43e58cce0d488

waiting for accepted PR and package update
Comment 5 Johannes Segitz 2017-08-10 15:01:52 UTC
(In reply to Christian Wittmer from comment #4)
is accepted, please submit
Comment 6 Christian Wittmer 2019-12-30 19:19:56 UTC
fixed with use of Mail-Address-XS