Debian Bug report logs - #960062
libemail-mime-perl: CVE-2024-4140: DoS on excessive or deeply nested parts

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Perl Email user <p5p@yhbt.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libemail-mime-perl: DoS on excessive or deeply nested parts

Date: Fri, 08 May 2020 21:58:27 +0000

Package: libemail-mime-perl
Version: 1.946-1
Severity: important
Tags: upstream

Messages with too many tiny MIME parts can OOM on split().

Messages with many nested MIME parts can also fail on deep
recursion (Email::MIME->new calls ->subparts, ->subparts calls
->new, ad infinitum).

Smallish messages can generate these, since the a boundary
only needs to be 4 bytes "--a\n" and the header+body of
each part can just be 4 bytes "x:y\n\n", too.

Perl takes 42 bytes to represent a 4 byte string on 64-bit:

	use Devel::Size; say Devel::Size::total_size("--\n\n")

This affects many other MIME parsers, too.

Message #10 received at 960062@bugs.debian.org (full text, mbox, reply):

From: Perl Email user <p5p@yhbt.net>

To: 960062@bugs.debian.org

Subject: Re: Bug#960062: Acknowledgement (libemail-mime-perl: DoS on excessive or deeply nested parts)

Date: Fri, 8 May 2020 22:11:42 +0000

tags 960062 + security
quit

Oops, forgot security tag :x

Message #19 received at 960062@bugs.debian.org (full text, mbox, reply):

From: Miriam Espana Acebal <miriam.espana@canonical.com>

To: 960062@bugs.debian.org

Date: Tue, 28 Nov 2023 11:43:27 +0100

[Message part 1 (text/plain, inline)]

Hi,

I'm working on this package on Ubuntu, to promote it from universe to main.
I saw this bug, and it could be a blocker for that process. Reading the
changes files,
the following entry seems to be related (per the comments on
upstream's issue [1] too):

         1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
        - add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that
many
          parts; current default: 10

Do you know, as maintainers, if this bug is fixed with that?  One of the
reviewers already asked upstream [1] to see if we can get a confirmation
from there.

Any clue is highly appreciated... thanks in advance.

Miriam (mirespace)

[1] *https://github.com/rjbs/Email-MIME/issues/66
<https://github.com/rjbs/Email-MIME/issues/66> *
-- 
Miriam España Acebal
Software Engineer II - Ubuntu PublicCloud/Server
Canonical Ltd.

[Message part 2 (text/html, inline)]

Message #24 received at 960062-done@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: Miriam Espana Acebal <miriam.espana@canonical.com>, 960062-done@bugs.debian.org

Subject: Re: Bug#960062:

Date: Wed, 21 Feb 2024 20:55:24 +0100

[Message part 1 (text/plain, inline)]

Version: 1.949-1

On Tue, 28 Nov 2023 11:43:27 +0100, Miriam Espana Acebal wrote:

> I'm working on this package on Ubuntu, to promote it from universe to main.
> I saw this bug, and it could be a blocker for that process. Reading the
> changes files,
> the following entry seems to be related (per the comments on
> upstream's issue [1] too):
> 
>          1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
>         - add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that
> many
>           parts; current default: 10
> 
> Do you know, as maintainers, if this bug is fixed with that?  One of the
> reviewers already asked upstream [1] to see if we can get a confirmation
> from there.

This has been answered in the upstream ticket now:
https://github.com/msimerson/mail-dmarc/issues/216#issuecomment-1945033737

Hence closing the bug (at the first version after 1.947 which was
uploaded to the Debian archive.)


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 960062@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 960062@bugs.debian.org, gregoa@debian.org

Cc: Perl Email user <p5p@yhbt.net>

Subject: Re: Bug#960062 closed by gregor herrmann <gregoa@debian.org> (Re: Bug#960062:)

Date: Thu, 2 May 2024 09:55:35 +0200

Hi 

On Wed, Feb 21, 2024 at 07:57:06PM +0000, Debian Bug Tracking System wrote:
[...]
> Version: 1.949-1
> 
> On Tue, 28 Nov 2023 11:43:27 +0100, Miriam Espana Acebal wrote:
> 
> > I'm working on this package on Ubuntu, to promote it from universe to main.
> > I saw this bug, and it could be a blocker for that process. Reading the
> > changes files,
> > the following entry seems to be related (per the comments on
> > upstream's issue [1] too):
> > 
> >          1.947 2020-05-09 14:30:06-04:00 America/New_York (TRIAL RELEASE)
> >         - add $Email::MIME::MAX_DEPTH and refuse to parse deeper than that
> > many
> >           parts; current default: 10
> > 
> > Do you know, as maintainers, if this bug is fixed with that?  One of the
> > reviewers already asked upstream [1] to see if we can get a confirmation
> > from there.
> 
> This has been answered in the upstream ticket now:
> https://github.com/msimerson/mail-dmarc/issues/216#issuecomment-1945033737
> 
> Hence closing the bug (at the first version after 1.947 which was
> uploaded to the Debian archive.)

As per
https://github.com/rjbs/Email-MIME/issues/66#issuecomment-2024085120
I'm reopening this issue. Let's consider it only as fixed once the
changes provided by rjbs are merged as well? Is that okay for you
Gregor?

Regards,
Salvatore

Message #46 received at 960062-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 960062-close@bugs.debian.org

Subject: Bug#960062: fixed in libemail-mime-perl 1.954-1

Date: Fri, 03 May 2024 19:50:25 +0000

[Message part 1 (text/plain, inline)]

Source: libemail-mime-perl
Source-Version: 1.954-1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
libemail-mime-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 960062@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libemail-mime-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 May 2024 21:32:44 +0200
Source: libemail-mime-perl
Architecture: source
Version: 1.954-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 960062
Changes:
 libemail-mime-perl (1.954-1) unstable; urgency=medium
 .
   * Team upload.
   * Import upstream version 1.954.
     + Fix excessive memory use issue, which can cause denial of service when
       parsing multipart MIME messages (CVE-2024-4140) (Closes: #960062)
   * Declare compliance with Debian policy 4.7.0
Checksums-Sha1: 
 fe428ec568c33f2c6689493aa15655edd7185182 2651 libemail-mime-perl_1.954-1.dsc
 3e23091dca1e3b6b2ccc0aad0a86f0730839755d 125093 libemail-mime-perl_1.954.orig.tar.gz
 cebe0536989faac7d01feb2c42dc0cb80e0049d2 4876 libemail-mime-perl_1.954-1.debian.tar.xz
Checksums-Sha256: 
 5033437816d0b36fa04e44ef949bad00ebdb809d18292cf6e92e0bf181d52cd8 2651 libemail-mime-perl_1.954-1.dsc
 6dd69b01435b645aecc5354d9854a70cb87641eb446a525e7ab241cefa3cc4d3 125093 libemail-mime-perl_1.954.orig.tar.gz
 bef762e35a49a08103dc2593ae3814aef643e16d809cafa85fb6c00b2d9f5e06 4876 libemail-mime-perl_1.954-1.debian.tar.xz
Files: 
 1f3434cf6d3a3aa023dd4085d8eac663 2651 perl optional libemail-mime-perl_1.954-1.dsc
 15c1613ccc156e52750ca23964a23bc5 125093 perl optional libemail-mime-perl_1.954.orig.tar.gz
 6941860fe0c53400f0760aca72be1bcb 4876 perl optional libemail-mime-perl_1.954-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY1PTBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ELdwP/Ausne7cq2zwyj7ox1X7EtwUAlFh/iFa
ROhHLHUzF998nr+QTm0AgGSCs/NRg/GQUtE5ZkLY36zemViQb5bPo1r/+tO6eLFn
vrUYSOYN20FSJe/H1np8yej/9hebyJl/+OeMYiUsbieLYhR/JSbjdXcWnEptVgL4
vgRCB4zRON8qRSgjJHJg/SaKFIj5tqBySLPHbRKFISuw3YgA+V0K4lE2HNoTMv7K
fLiNKjUYpkakQeEAG8jV/3o/Npyb9ejdV42ggJZ2gbjNuwmay8d4J9qg92Hf1XPq
a+D0SrmNVXC7QC9OcYNWPDZ99q9ahCP54yr2+ZjFcfG7RVAJvjwqWzZ9N4toAQuF
zxdUFLYJZDEeLQfZcPn8s3EK0JkiKGEosbmxNjPlwbLEmbnZUIPeCYK+r6EAcYOs
BmVZe8/PYqICXtstUsDwinjEFN46Nqu/DNUke2U4HTIeB4SVlUsiKIJoL+q+ljcc
gELbC/4WUhxe5YRm0zbqTZGGx3tTeTSDZkIZnOGHeV4PvN2gc2vrlqgxxsXKahbQ
EDVVSyWSwIPDvTMBXpGB6FRPei0R2DPcVJwBjngNME0FkRDwQ4BcknAufszTB/2M
mx1fDN5+SASTb1AdSX8X0quvnXHWDlAs/i6XL9/Fn+XgU3240kcU14JLh7L6I9uC
wXrfCAG/lfMm
=iYYa
-----END PGP SIGNATURE-----

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.