Acknowledgement sent
to Ruby mail user <nightmare@bogomips.org>:
New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Fri, 08 May 2020 22:18:04 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-mail: DoS on excessive or deeply nested parts
Date: Fri, 08 May 2020 22:07:10 +0000
Package: ruby-mail
Severity: important
Tags: upstream, security
Messages with too many tiny MIME parts can OOM on split().
Messages with many nested MIME parts can also OOM (not sure
about recursion).
Upstream is responsive and working on a fix.
Small messages can generate these, since the a boundary
only needs to be 4 bytes "--a\n" and the header+body of
each part can just be 4 bytes "x:y\n\n", too.
Ruby needs 40 bytes to represent a 4 byte string on 64-bit:
This affects many other MIME parsers, too.
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.