Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686

gregor herrmann gregoa at debian.org
Thu Jan 18 16:54:16 UTC 2018 

On Wed, 17 Jan 2018 21:14:58 +0100, Pali Rohár wrote:

> > > > > What
> > > > > about next, do you have some script or any other tool which can create
> > > > > those wishlist bugs for all packages which depend on
> > > > > libemail-address-perl package?

> Done:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887535
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887536
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887537
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887538
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887539
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887542
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887543
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887544
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887545
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887546
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887547
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887548
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887549
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887550
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887551

Dominic has marked these new bugs as blockers for this one (thanks!).
I've now tagged them all (except the dh-make-perl and
license-reconcile ones) as "upstream" [0] as I think, as Salvatore
wrote earlier, that they should be fixed upstream -- so everyone can
benefit from the fix and we don't have to carry a dozen patches (and
maybe have to deal with cornercase issues ourselves).

Thinking about upstream, I had another idea: If Email-Address is
unmaintained on the CPAN, you could take it over (request co-maint)
and then
- change Email::Address to a wrapper around Email::Address::XS;
- or remove the Email-Address distro and move the Email::Address
  module, again changed to a wrapper, into the Email-Address-XS
  distribution;
- or, maybe least controversial, improve Email::Address to load
  Email::Address::XS if it's installed. In that case we could in
  Debian just add a dependency on libemail-address-xs-perl to
  libemail-address-perl.

If this is not viable, I suggest that you file bugs / issues with
patches against these CPAN distributions and try to get them to
switch first.


Cheers,
gregor


[0] Don't know if we need to usertag them as well as suggested by
    Salvatore.

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Rolling Stones: You Can't Always Get What You Want - Essen 1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20180118/df65f1cf/attachment.sig>

More information about the pkg-perl-maintainers mailing list