Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686
gregor herrmann
gregoa at debian.org
Thu Jan 18 20:43:53 UTC 2018
On Thu, 18 Jan 2018 18:22:13 +0100, Pali Rohár wrote:
> > I totally see this point; that's why I added my third proposal above
> > and marked it as least controversial ("use ::XS if it is available").
> > This would fix the issue in Debian, because here we can guarantee it
> > by a dependency, and it would at least improve the situation for
> > parts of rest of the world (the part which has a C compiler).
>
> This does not fix the issue completely. Email::Address module exports
> "vulnerable" regexes, see:
> https://metacpan.org/source/RJBS/Email-Address-1.908/lib/Email/Address.pm#L126
>
> And these regexes are not provided by Email::Address::XS module (as XS
> module parses email by own sequential parser).
Ok, so this sounds alot like Email::Address::XS is not a drop-in
replacement for Email::Address. Which is another argument why fixing
this in the respective upstream codebase is preferrable over
mechanically patching this in Debian.
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`- NP: hons: think
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20180118/38a1adb3/attachment.sig>
More information about the pkg-perl-maintainers
mailing list