Bug#921642: stretch-pu: package libemail-address-perl/1.908-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Fixes CVE-2015-7686 and CVE-2018-1255 which are exposed by request-tracker4.
Candidate package deployed and working so far on a production system.
diff -Nru libemail-address-perl-1.908/debian/changelog libemail-address-perl-1.908/debian/changelog
--- libemail-address-perl-1.908/debian/changelog 2015-09-21 16:58:06.000000000 +0100
+++ libemail-address-perl-1.908/debian/changelog 2019-02-07 15:02:13.000000000 +0000
@@ -1,3 +1,10 @@
+libemail-address-perl (1.908-1+deb9u1) stretch; urgency=medium
+
+ * Team upload.
+ * [SECURITY]: Fix DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558
+
+ -- Dominic Hargreaves <dom@earth.li> Thu, 07 Feb 2019 15:02:13 +0000
+
libemail-address-perl (1.908-1) unstable; urgency=medium
* Team upload.
diff -Nru libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch
--- libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch 1970-01-01 01:00:00.000000000 +0100
+++ libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch 2019-02-07 15:01:45.000000000 +0000
@@ -0,0 +1,125 @@
+Subject: Fixes for DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558
+
+These are cherry-picked from 1.912, excluding packaging related changes
+
+diff --git a/lib/Email/Address.pm b/lib/Email/Address.pm
+index d169f6b..5d545e1 100644
+--- a/lib/Email/Address.pm
++++ b/lib/Email/Address.pm
+@@ -36,18 +47,18 @@ my $ctext = qr/(?>[^()\\]+)/;
+ my ($ccontent, $comment) = (q{})x2;
+ for (1 .. $COMMENT_NEST_LEVEL) {
+ $ccontent = qr/$ctext|$quoted_pair|$comment/;
+- $comment = qr/\s*\((?:\s*$ccontent)*\s*\)\s*/;
++ $comment = qr/(?>\s*\((?:\s*$ccontent)*\s*\)\s*)/;
+ }
+-my $cfws = qr/$comment|\s+/;
++my $cfws = qr/$comment|(?>\s+)/;
+
+ my $atext = qq/[^$CTL$special\\s]/;
+-my $atom = qr/$cfws*$atext+$cfws*/;
+-my $dot_atom_text = qr/$atext+(?:\.$atext+)*/;
+-my $dot_atom = qr/$cfws*$dot_atom_text$cfws*/;
++my $atom = qr/(?>$cfws*$atext+$cfws*)/;
++my $dot_atom_text = qr/(?>$atext+(?:\.$atext+)*)/;
++my $dot_atom = qr/(?>$cfws*$dot_atom_text$cfws*)/;
+
+ my $qtext = qr/[^\\"]/;
+ my $qcontent = qr/$qtext|$quoted_pair/;
+-my $quoted_string = qr/$cfws*"$qcontent*"$cfws*/;
++my $quoted_string = qr/(?>$cfws*"$qcontent*"$cfws*)/;
+
+ my $word = qr/$atom|$quoted_string/;
+
+@@ -63,15 +74,15 @@ my $word = qr/$atom|$quoted_string/;
+ # So we disallow the hateful CFWS in this context for now. Of modern mail
+ # agents, only Apple Web Mail 2.0 is known to produce obs-phrase.
+ # -- rjbs, 2006-11-19
+-my $simple_word = qr/$atom|\.|\s*"$qcontent+"\s*/;
+-my $obs_phrase = qr/$simple_word+/;
++my $simple_word = qr/(?>$atom|\.|\s*"$qcontent+"\s*)/;
++my $obs_phrase = qr/(?>$simple_word+)/;
+
+-my $phrase = qr/$obs_phrase|(?:$word+)/;
++my $phrase = qr/$obs_phrase|(?>$word+)/;
+
+ my $local_part = qr/$dot_atom|$quoted_string/;
+ my $dtext = qr/[^\[\]\\]/;
+ my $dcontent = qr/$dtext|$quoted_pair/;
+-my $domain_literal = qr/$cfws*\[(?:\s*$dcontent)*\s*\]$cfws*/;
++my $domain_literal = qr/(?>$cfws*\[(?:\s*$dcontent)*\s*\]$cfws*)/;
+ my $domain = qr/$dot_atom|$domain_literal/;
+
+ my $display_name = $phrase;
+@@ -124,9 +135,9 @@ my $display_name = $phrase;
+ #pod =cut
+
+ our $addr_spec = qr/$local_part\@$domain/;
+-our $angle_addr = qr/$cfws*<$addr_spec>$cfws*/;
++our $angle_addr = qr/(?>$cfws*<$addr_spec>$cfws*)/;
+ our $name_addr = qr/(?>$display_name?)$angle_addr/;
+-our $mailbox = qr/(?:$name_addr|$addr_spec)$comment*/;
++our $mailbox = qr/(?:$name_addr|$addr_spec)(?>$comment*)/;
+
+ sub _PHRASE () { 0 }
+ sub _ADDRESS () { 1 }
+@@ -208,7 +219,13 @@ sub parse {
+ return @cached;
+ }
+
+- my (@mailboxes) = ($line =~ /$mailbox/go);
++ my %mailboxes;
++ my $str = $line;
++ $str =~ s!($name_addr(?>$comment*))!$mailboxes{pos($str)} = $1; ',' x length $1!ego
++ if $str =~ /$angle_addr/;
++ $str =~ s!($addr_spec(?>$comment*))!$mailboxes{pos($str)} = $1; ',' x length $1!ego;
++ my @mailboxes = map { $mailboxes{$_} } sort { $a <=> $b } keys %mailboxes;
++
+ my @addrs;
+ foreach (@mailboxes) {
+ my $original = $_;
+diff --git a/t/order.t b/t/order.t
+new file mode 100644
+index 0000000..e012667
+--- /dev/null
++++ b/t/order.t
+@@ -0,0 +1,13 @@
++use strict;
++use warnings;
++
++use Test::More;
++use Email::Address;
++
++my @emails = ( q{"foo" <foo@example.com>}, q{bar@example.com}, q{"baz" <baz@example.com>}, q{baz@example.com} );
++my @addr = Email::Address->parse( join ', ', @emails );
++
++is( scalar @addr, scalar @emails, "correct number of emails" );
++is_deeply( \@addr, \@emails, 'correct order of emails' );
++
++done_testing;
+diff --git a/t/pathological.t b/t/pathological.t
+new file mode 100644
+index 0000000..a3ed1e6
+--- /dev/null
++++ b/t/pathological.t
+@@ -0,0 +1,20 @@
++use strict;
++use warnings;
++use Test::More;
++use Email::Address;
++use Time::HiRes 'time';
++
++my %cases = (
++ 'CVE-2015-7686' =>
++ q{\(¯¯`·.¥«P®ÎÑç€ØfTh€ÐÅ®K»¥.·`¯¯\) <email@example.com>, "(> \" \" <) ( ='o'= ) (\")___(\") sWeEtAnGeLtHePrInCeSsOfThEsKy" <email2@example.com>, "(i)cRiStIaN(i)" <email3@example.com>, "(S)MaNu_vuOLeAmMazZaReNimOe(*)MiAo(@)" <email4@example.com>},
++ 'CVE-2018-12558' => "\f" x 30,
++);
++
++for my $name ( sort keys %cases ) {
++ my $start = Time::HiRes::time();
++ Email::Address->parse( $cases{$name} );
++ my $time = Time::HiRes::time() - $start;
++ ok( $time < 0.5, "Parsing '$name' takes less than 0.5 second($time)" );
++}
++
++done_testing();
diff -Nru libemail-address-perl-1.908/debian/patches/series libemail-address-perl-1.908/debian/patches/series
--- libemail-address-perl-1.908/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libemail-address-perl-1.908/debian/patches/series 2019-02-07 15:01:57.000000000 +0000
@@ -0,0 +1 @@
+CVE-2015-7686_CVE-2018-12558.patch
Reply to: