Hi! Following trivial input can be used to DoS Email::Address module
when is used by server application to parse From or To email headers:

$ perl -MEmail::Address -E 'Email::Address->parse("\f" x 30)'

Yes, it is just 30 form-fields characters.

Because Ricardo as Email::Address maintainer had not response I
discussed this problem with Debian Security Team. As a result MITRE
assigned CVE-2018-12558 identifier for it.

Now I would say that Email::Address is now unmaintained.

And as I know because of those problems FreeBSD and Debian distributions
started removal of Email::Address module.

Reply via email to