Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686

[gregor herrmann]

On Thu, 18 Jan 2018 18:10:38 +0100, Pali Rohár wrote:

> > Thinking about upstream, I had another idea: If Email-Address is
> > unmaintained on the CPAN, you could take it over (request co-maint)
> > and then
> > - change Email::Address to a wrapper around Email::Address::XS;
> > - or remove the Email-Address distro and move the Email::Address
> >   module, again changed to a wrapper, into the Email-Address-XS
> >   distribution;
> > - or, maybe least controversial, improve Email::Address to load
> >   Email::Address::XS if it's installed. In that case we could in
> >   Debian just add a dependency on libemail-address-xs-perl to
> >   libemail-address-perl.
> 
> I had a discussion about Email::Address module and decision was to not
> do such things as Email::Address is pure Perl module and
> Email::Address::XS needs C compiler. There are lot of Perl systems where
> C compiler is not available and there only pure Perl modules can be
> installed/loaded.

I totally see this point; that's why I added my third proposal above
and marked it as least controversial ("use ::XS if it is available").
This would fix the issue in Debian, because here we can guarantee it
by a dependency, and it would at least improve the situation for
parts of rest of the world (the part which has a C compiler).


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Rolling Stones: You Can't Always Get What You Want - Essen 1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20180118/1d7e02b0/attachment.sig>