[Bug 1268777] New: CVE-2015-7686 perl-Email-Address: denial of service when parsing crafted email address list

bugzilla at redhat.com bugzilla at redhat.com
Mon Oct 5 08:36:45 UTC 2015


https://bugzilla.redhat.com/show_bug.cgi?id=1268777

            Bug ID: 1268777
           Summary: CVE-2015-7686 perl-Email-Address: denial of service
                    when parsing crafted email address list
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team at redhat.com
          Reporter: mprpic at redhat.com
                CC: perl-devel at lists.fedoraproject.org,
                    perl-maint-list at redhat.com, rob.myers at gtri.gatech.edu,
                    tcallawa at redhat.com



A flaw in the parsing of email address lists was found in perl-Email-Address:

Algorithmic complexity vulnerability in Address.pm in the Email-Address module
1.908 and earlier for Perl allows remote attackers to cause a denial of service
(CPU consumption) via a crafted string containing a list of e-mail addresses in
conjunction with parenthesis characters that can be associated with nested
comments. NOTE: the default configuration in 1.908 mitigates this vulnerability
but misparses certain realistic comments.

Further information:

http://seclists.org/oss-sec/2015/q3/644
http://seclists.org/oss-sec/2015/q4/22

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the perl-devel mailing list