Bug 1835353
Summary: | rubygem-mail: Out of memory issue through nested MIME parts | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akarol, alexl, bbuckingham, bcourt, bkearney, btotty, caillon+fedoraproject, caolanm, dmetzger, gmccullo, gnome-sig, gtanzill, hhudgeon, jfrey, jhardy, john.j5live, jose.p.oliveira.oss, lzap, mclasen, mmccune, nmoumoul, obarenbo, osoukup, paul, perl-devel, rchan, rhughes, rjerrido, rob.myers, roliveri, rstrode, sandmann, simaishi, smallamp, sokeeffe, tcallawa, vondruch, walter.pete, xavier, ytale |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-06-18 07:22:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1835355, 1835358, 1835362, 1835360, 1835361 | ||
Bug Blocks: | 1835356 |
Description
Pedro Sampaio
2020-05-13 16:53:11 UTC
Upstream for perl-Email-MIME has a couple of trial releases out with mitigations for this; probably best to wait until a non-trial release that they're happy with is done. FEDORA-2020-22764f623f has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-39d40d9ae9 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. I tried to contact ruby-mail upstream but did not got any reply after initial response, I'm still not sure if upstream is considering it CVE worthy. @Paul, do you know if we have updates specifically for ruby-mail package (https://github.com/mikel/mail) by any chance? (and not perl-Email-MIME, libemail-mime-perl, libgmime or libemail-mime-contenttype-perl) @Yadnyawalk, I've no idea about ruby-mail I'm afraid; my interest in this was regarding the perl modules, which I co-maintain. Acknowledged. Understood. Thanks. perl-Email-MIME-1.949-1.el8, perl-Email-MIME-ContentType-1.024-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report. Closing this NOTABUG since did not found sufficient data to make any flaw decision. Will re-open if we got any information on this or Product Security assembler will catch rubygem-mail issue anyways. |