Debian Bug report logs - #960158
libemail-mime-contenttype-perl: denial-of-service via OOM

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: perl email user <p5p@yhbt.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libemail-mime-contenttype-perl: denial-of-service via OOM

Date: Sun, 10 May 2020 02:25:42 +0000

Package: libemail-mime-contenttype-perl
Version: 1.022-1
Severity: important
Tags: upstream, security

It's possible to easily craft a message which triggers
out-of-memory error.

Upstream has been notified and working on the issue.

Message #10 received at 960158@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: perl email user <p5p@yhbt.net>, 960158@bugs.debian.org

Subject: Re: Bug#960158: libemail-mime-contenttype-perl: denial-of-service via OOM

Date: Sat, 7 Nov 2020 02:02:01 +0100

[Message part 1 (text/plain, inline)]

On Sun, 10 May 2020 02:25:42 +0000, perl email user wrote:

> It's possible to easily craft a message which triggers
> out-of-memory error.
> 
> Upstream has been notified and working on the issue.

Mhm. Not a lot of information in this bug report :)

Anyway, 1.024-1 has been uploaded. Do you happen to know if this
changes anything?

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Carole King: I Feel The Earth Move

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 960158@bugs.debian.org (full text, mbox, reply):

From: perl email user <p5p@yhbt.net>

To: gregor herrmann <gregoa@debian.org>

Cc: 960158@bugs.debian.org

Subject: Re: Bug#960158: libemail-mime-contenttype-perl: denial-of-service via OOM

Date: Sat, 7 Nov 2020 01:25:37 +0000

gregor herrmann <gregoa@debian.org> wrote:
> On Sun, 10 May 2020 02:25:42 +0000, perl email user wrote:
> 
> > It's possible to easily craft a message which triggers
> > out-of-memory error.
> > 
> > Upstream has been notified and working on the issue.
> 
> Mhm. Not a lot of information in this bug report :)

Sorry, I didn't want to provide info that could be used to
aid attackers.

Upstream and security@debian.org are aware of the problem
but have not yet acted.

If you have access to security@debian.org archives, see
<20201025102450.byceuhbphom4gnkj@pali> for fix + discussion.

> Anyway, 1.024-1 has been uploaded. Do you happen to know if this
> changes anything?

Nope.  Fwiw, I'm burned out from life + pandemic and
pali@cpan.org has been trying to work with upstream on this.

Anyways thanks for your response and all you do for Debian!

Message #20 received at 960158@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: perl email user <p5p@yhbt.net>

Cc: 960158@bugs.debian.org

Subject: Re: Bug#960158: libemail-mime-contenttype-perl: denial-of-service via OOM

Date: Sun, 8 Nov 2020 00:01:13 +0100

[Message part 1 (text/plain, inline)]

On Sat, 07 Nov 2020 01:25:37 +0000, perl email user wrote:

Thanks for your fast reply!

> > > Upstream has been notified and working on the issue.
> > Mhm. Not a lot of information in this bug report :)
> Sorry, I didn't want to provide info that could be used to
> aid attackers.

Sure, I was only joking.
 
> Upstream and security@debian.org are aware of the problem
> but have not yet acted.

Ok, then I leave this to the Debian Security team.
 
> Nope.  Fwiw, I'm burned out from life + pandemic and
> pali@cpan.org has been trying to work with upstream on this.

All the best!


gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Red Hot Chili Peppers: Pea

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 960158-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 960158-close@bugs.debian.org

Subject: Bug#960158: fixed in libemail-mime-contenttype-perl 1.026-1

Date: Tue, 12 Jan 2021 06:18:19 +0000

Source: libemail-mime-contenttype-perl
Source-Version: 1.026-1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
libemail-mime-contenttype-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 960158@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libemail-mime-contenttype-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 12 Jan 2021 06:54:14 +0100
Source: libemail-mime-contenttype-perl
Architecture: source
Version: 1.026-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 960158
Changes:
 libemail-mime-contenttype-perl (1.026-1) unstable; urgency=medium
 .
   * Team upload.
   * Import upstream version 1.026.
     - Don't use more memory than necessary to store parts of an encoded
       parameter (Closes: #960158)
   * Declare compliance with Debian policy 4.5.1
Checksums-Sha1: 
 e103e2b063eb67505007621b6327bfe800668712 2493 libemail-mime-contenttype-perl_1.026-1.dsc
 3c7651b7c133f05eca52290ff712ecc5ad60469a 23063 libemail-mime-contenttype-perl_1.026.orig.tar.gz
 92dd4916b7cf4fbc373565aee80fc733370e86d2 3116 libemail-mime-contenttype-perl_1.026-1.debian.tar.xz
Checksums-Sha256: 
 929fe56a52ce8067ed6af76dafc08b52944c61d7e4d5dc1207ac714098331813 2493 libemail-mime-contenttype-perl_1.026-1.dsc
 74491930b7a93b8e7fda812bf669eee66ec8b9519958e5b01dcf8ccf92a9507d 23063 libemail-mime-contenttype-perl_1.026.orig.tar.gz
 464f920f1a37184db99c2b68dcb9321401ecba5205c1e3c16c6b97f8c5b0bf24 3116 libemail-mime-contenttype-perl_1.026-1.debian.tar.xz
Files: 
 66995f3f55b8a84ecf7ab4c9db01bb4b 2493 perl optional libemail-mime-contenttype-perl_1.026-1.dsc
 f228124902edfd3c4518017117d7684a 23063 perl optional libemail-mime-contenttype-perl_1.026.orig.tar.gz
 f6fca50ef4e1d0ce51fd70fd980f182e 3116 perl optional libemail-mime-contenttype-perl_1.026-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl/9Oj9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EE8QP/20xzuGfsSD87hthOmVQ0lHXbUB3NMbR
ofXJxTWM3N/8cAbCrE4puH5aK89yt1kGc5rccRmBBiSJRLQyw0FJ6CgbWyogTlYz
uRjwwKL/uS2+pqltv8RmDg95ZbQvyp/dc91VjTtF/aoIfUJY0BebIG0NNODqaF3W
XiWs/GCowvOPlX5WO43xh3cTE/XOlUQq1X+BnlQqxX/6C8ls0EtSLMkteoi1JCxj
oVW2PnLvesLq9KHi4OMuQ7I8k4TL4VQsWvWAE8956TbnKjz4Nl7Z1jr7gQT29QOb
gqvwpZ6G6D1BnotHCfVepdl0SP8KXgZQYwJ1DfVIMxeYhMyBYb7Ku35qy+gRN7FF
qf7+TlmDz1NFkNoaP9Y94dV5zQvEQO/Lc9jZnvEubjFwy0mW9wlA/b3E5KuzYAlc
0wxzsZczETc81yYgIa+5ZJadEh5PTQpsCna1JQdGddSUlZxr/sShoXNa9zdF+42F
fzv1XiZPQPV9UX4jF8UBEgBEXkTImLCg76xeh4h08r0hjbsZxwLMk8d2Nd9Zf0c1
hh0w9MuYl51qulR00S/EqLYP4UhMa0rYt7OGvyTUbZCLi7M1k2o2dBXPKoIRaOvH
Fi3MqUJuRaRyuV5YizIopT+eTCzQLna8EeFmdXmR0ruKgB7uCQkfsiURwDkxDRZC
RwJT6UcyI5dv
=zhrL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.