Date: Fri, 2 Oct 2015 17:43:40 -0400 (EDT) From: cve-assign@...re.org To: pali.rohar@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: DoS attack through Email-Address perl module v1.907 (CVE id request) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Standard usage of Email::Address module is to parse From/To/Cc headers > from emails. And standard is also to use that module without setting > $COMMENT_NEST_LEVEL variable... So because I was thinking about this > standard usage in other applications I think that one CVE ID could be > enough. Thanks for your additional notes. We have decided to choose the option of a single CVE, although this option is unattractive for some reasons. Use CVE-2015-7686 for the CWE-407 ("Algorithmic Complexity") issue in versions 1.908 and earlier. In other words, we consider 1.908 to be an affected version because there are realistic cases in which COMMENT_NEST_LEVEL must be 2 for usability reasons. There is no CVE ID corresponding to the behavior change between 1.907 and 1.908. Looking at the first example from our previous reply: jsmit@...ine.microsoft.com (Jan Smith (MSFT)) has a name field of "Jan Smith" in level 2 but a name field of "jsmit" in level 1. However, jsmit@...ine.microsoft.com (Jan Smith) has a name field of "Jan Smith" in both level 2 and level 1. The documentation for the name instance method says: This method tries very hard to determine the name belonging to the address. First the "phrase" is checked. If that doesn't work out the "comment" is looked into. The comment field of "(Jan Smith (MSFT))" is a real-life example and doesn't seem inherently complicated, so we feel that the documented "tries very hard" behavior is no longer provided if level 1 is used. As an example, Email::Address->parse might be used only on the "From" line to support an application that really, really wants to print: Dear Jan Smith, Thank you for opening a ticket. instead of Dear jsmit, Thank you for opening a ticket. It is, of course, not the CVE project's role to offer advice on whether to update. In practice, though, if there were a CVE stating "before 1.908" as the affected versions, then (because 1.908 exists) many people would update to resolve the CVE. It would fix a denial-of-service problem for anyone who is actually attacked, but potentially add a usability problem for a much larger population. Finally, if anyone is planning to actually fix the CWE-407 issue, note that the problem might occur only with a list of addresses, as shown in the address-line attachment in the original CVE request. None of the four addresses by itself requires much CPU time. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWDvnQAAoJEL54rhJi8gl5HWkP/jTvpIsmvuIp/asS5pTJOXZD kT5jvSVR76xGWyww4gD85oGzaYgg0mW4JMNmqgRWeK8KeSvhaBo3Q5eKzxL+XjLC Ykjn9Ho9u+cbG6MBkGFeMW0SOYuN0nqIun7gxAPeYwE44fS2wSRFLDYQydgJahS7 Zqk4FCxSt+aPl4dDsxEaMn2LVr3JbzaRSqbihuzsoKLzjJObC0vAaQDSQgYED6F7 essACn02BiQbfwA7aBP1a8gOpV0J30IdmOsomBsBfqxVwma5GqFSfAnlzMYPM9Ys /8qV+CZZrkXz42y58YwqolpS8THUtaIsvV2SttmZSGNXuNS0hWqP2tvquV5apvBv 4Wpu4Jx6ouw/3YYncQ5cm+pBjOmK7qYMUVeDlxREZnSxIPQOQ6Jq9womX6OGdEwL KZV5w3B1U1+82Si6U8Dh0SiJhcumElsg5dvMVAaILDkzA13uEzipci59+oU1G0w2 pdaArJUZ8MvXFPRXGRB2D7GsG3NA0fBT1kttS9jIcsMkaZlHAJDeT9GnhDzWZcIi SBdR2xi38nOEGHh1uGl7LSNmwrtY+mdkW3o1bEIr9/Ar7ji6c385RnzcTsgza2B3 NP4D5OjARqf4Txh7vpUu1OSohDlJpYjeDTvhu+1wMJaO5aaQf8JKS4owC+JQOJL8 TpZM2oVjUrN/Zbgnmgni =EqLL -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.