883225 – (CVE-2014-0477) VUL-0: CVE-2014-0477: perl-Email-Address: Denial-of-Service in Email::Address::parse

Bug 883225 (CVE-2014-0477) - VUL-0: CVE-2014-0477: perl-Email-Address: Denial-of-Service in Email::Address::parse

Summary: VUL-0: CVE-2014-0477: perl-Email-Address: Denial-of-Service in Email::Address...

Status:	RESOLVED FIXED

Alias:	CVE-2014-0477

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Thomas Abraham
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/99721/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-06-18 14:58 UTC by Johannes Segitz
Modified:	2015-02-19 02:16 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2014-06-18 14:58:58 UTC

Via OSS-sec

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 18 Jun 2014 07:19:15 +0200

Bastian Blank reported a denial of service vulnerability in
Email::Address, a Perl module for RFC 2822 address parsing and
creation[1]. Email::Address::parse uses significant time on parsing
empty quoted string, as allowed by RFC 2822.

==========

Fixed in upstream version 1.905 which contain additional commits to avoid slowdowns.

References:
http://seclists.org/oss-sec/2014/q2/563
https://bugzilla.redhat.com/show_bug.cgi?id=1110723
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0477

Comment 1 Swamp Workflow Management 2014-06-18 22:00:19 UTC

bugbot adjusting priority

Comment 2 James Oakley 2014-06-20 03:19:01 UTC

I haven't touched this package (or Perl) in 7 years. I'm probably not the right person to assign this to.

Comment 3 Johannes Segitz 2014-06-20 12:54:42 UTC

Daniel, you're one of the bugowners, can you please take this one?

Comment 5 Johannes Segitz 2014-06-23 09:12:34 UTC

Next try. Can you please take care of this issue?

Comment 6 Thomas Abraham 2014-10-07 14:09:22 UTC

I know it's late, but I only recently realized that this was assigned to me.

I submitted mr 254516

Comment 7 Benjamin Brunner 2014-10-07 14:20:57 UTC

I changed needinfo to security-team@suse.de, after this is an security-issue.

Thanks Thomas.

Comment 8 Bernhard Wiedemann 2014-10-07 15:00:12 UTC

This is an autogenerated message for OBS integration:
This bug (883225) was mentioned in
https://build.opensuse.org/request/show/254516 13.2+13.1+12.3 / perl-Email-Address+perl-Email-Address.openSUSE_13.2

Comment 11 Swamp Workflow Management 2014-10-28 15:05:08 UTC

openSUSE-SU-2014:1328-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 883225
CVE References: CVE-2014-0477
Sources used:
openSUSE 13.1 (src):    perl-Email-Address-1.899-2.4.1
openSUSE 12.3 (src):    perl-Email-Address-1.892-11.4.1