Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri,  2 Oct 2015 17:43:40 -0400 (EDT)
Subject: Re: DoS attack through Email-Address perl module v1.907 (CVE id request)

Hash: SHA256

> Standard usage of Email::Address module is to parse From/To/Cc headers
> from emails. And standard is also to use that module without setting
> $COMMENT_NEST_LEVEL variable... So because I was thinking about this
> standard usage in other applications I think that one CVE ID could be
> enough.

Thanks for your additional notes. We have decided to choose the option
of a single CVE, although this option is unattractive for some
reasons. Use CVE-2015-7686 for the CWE-407 ("Algorithmic Complexity")
issue in versions 1.908 and earlier. In other words, we consider 1.908
to be an affected version because there are realistic cases in which
COMMENT_NEST_LEVEL must be 2 for usability reasons. There is no CVE ID
corresponding to the behavior change between 1.907 and 1.908.

Looking at the first example from our previous reply: (Jan Smith (MSFT))

has a name field of "Jan Smith" in level 2 but a name field of "jsmit"
in level 1. However, (Jan Smith)

has a name field of "Jan Smith" in both level 2 and level 1. The
documentation for the name instance method says:

  This method tries very hard to determine the name belonging to the
  address. First the "phrase" is checked. If that doesn't work out
  the "comment" is looked into.

The comment field of "(Jan Smith (MSFT))" is a real-life example and
doesn't seem inherently complicated, so we feel that the documented
"tries very hard" behavior is no longer provided if level 1 is used.
As an example, Email::Address->parse might be used only on the "From"
line to support an application that really, really wants to print:

   Dear Jan Smith,
      Thank you for opening a ticket.

instead of

   Dear jsmit,
      Thank you for opening a ticket.

It is, of course, not the CVE project's role to offer advice on
whether to update. In practice, though, if there were a CVE stating
"before 1.908" as the affected versions, then (because 1.908 exists)
many people would update to resolve the CVE. It would fix a
denial-of-service problem for anyone who is actually attacked, but
potentially add a usability problem for a much larger population.

Finally, if anyone is planning to actually fix the CWE-407 issue, note
that the problem might occur only with a list of addresses, as shown
in the address-line attachment in the original CVE request. None of
the four addresses by itself requires much CPU time.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.