develooper Front page | perl.pep | Postings from June 2018

CVE-2018-12558: Denial of Service in Email::Address

From:
pali
Date:
June 20, 2018 11:28
Subject:
CVE-2018-12558: Denial of Service in Email::Address
Message ID:
20180620112818.wtftvmu665mmfmsg@pali
Hi! Following trivial input can be used to DoS Email::Address module
when is used by server application to parse From or To email headers:

$ perl -MEmail::Address -E 'Email::Address->parse("\f" x 30)'

Yes, it is just 30 form-fields characters.

Because Ricardo as Email::Address maintainer had not response I
discussed this problem with Debian Security Team. As a result MITRE
assigned CVE-2018-12558 identifier for it.

Now I would say that Email::Address is now unmaintained.

And as I know because of those problems FreeBSD and Debian distributions
started removal of Email::Address module.



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About