Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 27 Sep 2015 09:53:59 +0200
From: Pali Rohár <>
Subject: DoS attack through Email-Address perl module v1.907 (CVE id request)


I discovered possible DoS attack in any software which uses 
Email::Address perl module for parsing string input to list of email 

By default Email::Address module, version v1.907 (and all before) try to 
understand nestable comments in input string with deep level 2.

Parsing nestable comments is for specially prepared inputs too slow and 
can cause high CPU load, freezing application and Denial of Service.

Because input string for Email::Address module comes from external 
source (e.g. from email sent by attacker) it is security problem all 
software application which parse email messages by Email::Address perl 
module. For example: RT: Request Tracker, CiderWebmail, ...

In new version v1.908 of Email::Address module, released at Sep 19 was 
set default value of nestable comments to deep level 1. This is not 
proper fix, just workaround for pathological inputs with nestable 
comments. Probably nobody has normal usage for inserting nested comments 
into email address in To:/Cc: headers...

Can you assign CVE id for this problem?

In attachment I'm sending example perl script which uses Email::Address 
module for parsing From header and example input.

On my machine that script runs 5 seconds and it parse just four 
addresses. Imagine that attacker send email with Cc: header with 10 
times more addresses and Email::Address module effectively DoS server 
where is that parser running...

Pali Rohár

View attachment "address-line" of type "text/plain" (324 bytes)

Download attachment "" of type "application/x-perl" (139 bytes)

Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.