Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686
Pali Rohár
pali.rohar at gmail.com
Thu Jul 13 15:51:09 UTC 2017
On Thursday 13 July 2017 17:36:09 Salvatore Bonaccorso wrote:
> (and is e.g. workarounded in request-tracker4)
...
> 1.908 furthremore mitigates the problem (but OTOH then as
> consequence misparses certain realistic comments).
RT4's workaround is basically same as one in the last released
Email::Address version. It workaround known and public email headers
which cause full CPU load & freeze for more then 10 minutes (after that
time I killed perl processes as I see that it do not want to finish...)
Problem is that workaround broke parsing comments (which some clients
uses for display name or for company), plus we do not know if there are
no other inputs which can cause that problem even with applied
workaround.
Workaround was mean to be just mitigation for temporary period...
--
Pali Rohár
pali.rohar at gmail.com
More information about the pkg-perl-maintainers
mailing list