Debian Bug report logs - #960064
ruby-mail: DoS on excessive or deeply nested parts

Package: ruby-mail; Maintainer for ruby-mail is Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for ruby-mail is src:ruby-mail (PTS, buildd, popcon).

Reported by: Ruby mail user <nightmare@bogomips.org>

Date: Fri, 8 May 2020 22:18:02 UTC

Severity: important

Tags: security, upstream

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#960064; Package ruby-mail. (Fri, 08 May 2020 22:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ruby mail user <nightmare@bogomips.org>:
New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 08 May 2020 22:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ruby mail user <nightmare@bogomips.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-mail: DoS on excessive or deeply nested parts
Date: Fri, 08 May 2020 22:07:10 +0000
Package: ruby-mail
Severity: important
Tags: upstream, security

Messages with too many tiny MIME parts can OOM on split().

Messages with many nested MIME parts can also OOM (not sure
about recursion).

Upstream is responsive and working on a fix.

Small messages can generate these, since the a boundary
only needs to be 4 bytes "--a\n" and the header+body of
each part can just be 4 bytes "x:y\n\n", too.

Ruby needs 40 bytes to represent a 4 byte string on 64-bit:

This affects many other MIME parsers, too.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jun 13 10:28:22 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.