Bug 1835353

Summary: rubygem-mail: Out of memory issue through nested MIME parts
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, alexl, bbuckingham, bcourt, bkearney, btotty, caillon+fedoraproject, caolanm, dmetzger, gmccullo, gnome-sig, gtanzill, hhudgeon, jfrey, jhardy, john.j5live, jose.p.oliveira.oss, lzap, mclasen, mmccune, nmoumoul, obarenbo, osoukup, paul, perl-devel, rchan, rhughes, rjerrido, rob.myers, roliveri, rstrode, sandmann, simaishi, smallamp, sokeeffe, tcallawa, vondruch, walter.pete, xavier, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-18 07:22:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1835355, 1835358, 1835362, 1835360, 1835361    
Bug Blocks: 1835356    

Description Pedro Sampaio 2020-05-13 16:53:11 UTC 
A possible DoS issue may affect several MIME parsers. Messages with too many tiny nested MIME parts can lead to memory exhaustion on split().

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960064
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960062
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960159
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960158
Comment 1 Paul Howarth 2020-05-13 17:24:46 UTC 
Upstream for perl-Email-MIME has a couple of trial releases out with mitigations for this; probably best to wait until a non-trial release that they're happy with is done.
Comment 2 Fedora Update System 2020-06-03 01:49:27 UTC 
FEDORA-2020-22764f623f has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 3 Fedora Update System 2020-06-03 02:09:37 UTC 
FEDORA-2020-39d40d9ae9 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Yadnyawalk Tale 2020-06-04 20:43:40 UTC 
I tried to contact ruby-mail upstream but did not got any reply after initial response, I'm still not sure if upstream is considering it CVE worthy.

@Paul, do you know if we have updates specifically for ruby-mail package (https://github.com/mikel/mail) by any chance? (and not perl-Email-MIME, libemail-mime-perl, libgmime or libemail-mime-contenttype-perl)
Comment 5 Paul Howarth 2020-06-05 08:02:56 UTC 
@Yadnyawalk, I've no idea about ruby-mail I'm afraid; my interest in this was regarding the perl modules, which I co-maintain.
Comment 6 Yadnyawalk Tale 2020-06-05 10:30:45 UTC 
Acknowledged. Understood. Thanks.
Comment 7 Fedora Update System 2020-06-11 18:35:56 UTC 
perl-Email-MIME-1.949-1.el8, perl-Email-MIME-ContentType-1.024-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Yadnyawalk Tale 2020-06-18 07:22:32 UTC 
Closing this NOTABUG since did not found sufficient data to make any flaw decision.
Will re-open if we got any information on this or Product Security assembler will catch rubygem-mail issue anyways.