The parse() method in the Email::Address module through 1.909 for Perl can consume a large amount of resources on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").
Created perl-Email-Address tracking bugs for this issue:
Affects: epel-6 [bug 1593320]
Affects: fedora-all [bug 1593319]
Email-Address-1.910 (1.911 and 1.912 updates a documentation) fixes this vulnerability by extensive use of independent subexpressions ("(?>pattern)" constructs) that prevents from undesired backtracking. An excerpt from the fix:
-my $cfws = qr/$comment|\s+/;
+my $cfws = qr/$comment|(?>\s+)/;
The exponential backtracking is the cause of this vulnerability and is indeed fixed:
[test@fedora-30 Email-Address-1.912]$ time perl -Ilib -e 'use Email::Address; Email::Address->parse("\f" x 30)'