The parse() method in the Email::Address module through 1.909 for Perl can consume a large amount of resources on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f"). References: http://seclists.org/oss-sec/2018/q2/211 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901873
Created perl-Email-Address tracking bugs for this issue: Affects: epel-6 [bug 1593320] Affects: fedora-all [bug 1593319]
Upstream bug: https://github.com/Perl-Email-Project/Email-Address/issues/19
Email-Address-1.910 (1.911 and 1.912 updates a documentation) fixes this vulnerability by extensive use of independent subexpressions ("(?>pattern)" constructs) that prevents from undesired backtracking. An excerpt from the fix: -my $cfws = qr/$comment|\s+/; +my $cfws = qr/$comment|(?>\s+)/; The exponential backtracking is the cause of this vulnerability and is indeed fixed: [test@fedora-30 Email-Address-1.912]$ time perl -Ilib -e 'use Email::Address; Email::Address->parse("\f" x 30)' real 0m0.017s user 0m0.010s sys 0m0.007s