Package: libemail-address-perl Version: 1.908-1 Severity: normal Tags: upstream,security
Dear Maintainer, the version of libemail-address-perl shipped in Stretch suffers from a DoS vulnerability that is already fixed in upstream release 1.912 (already in Buster/sid). The upstream bug is https://github.com/Perl-Email-Project/Email-Address/issues/19 but we hit this issue in production before discovering that, so it is quite relevant. Here is a short script that illustrates the problem: #!/usr/bin/perl use 5.014; use warnings; use Email::Address; use Time::HiRes qw(gettimeofday tv_interval); my $num_pairs = 0; while ($num_pairs++ < 30) { my $candidate = '()' x $num_pairs; my $start_time = [gettimeofday]; Email::Address->parse($candidate); say "$num_pairs pairs: " . tv_interval($start_time); } With the version in Stretch, this script will suffer from exponential runtime. Using the upstream version, the increase is linear. Note: This also affects people using Data::Validate::Email::is_email_rfc822() (this is how we hit it), since this uses the faulty regular expression from Email::Address. There should be no need to update Data::Validate::Email, though. Regards, Marc -- System Information: Debian Release: 9.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libemail-address-perl depends on: ii perl 5.24.1-3+deb9u5 libemail-address-perl recommends no packages. libemail-address-perl suggests no packages. -- no debconf information

