Bug 1593318 (CVE-2018-12558) - CVE-2018-12558 perl-Email-Address: Specially crafted input could cause Denial of Service due to complex parse() method
Summary: CVE-2018-12558 perl-Email-Address: Specially crafted input could cause Denial...
Keywords:
Status: NEW
Alias: CVE-2018-12558
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1593319 1593320 1593321 1601806
Blocks: 1593323
TreeView+ depends on / blocked
 
Reported: 2018-06-20 14:35 UTC by Andrej Nemec
Modified: 2019-09-29 14:42 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github Perl-Email-Project Email-Address issues 19 None None None 2018-06-21 06:45:46 UTC

Description Andrej Nemec 2018-06-20 14:35:18 UTC
The parse() method in the Email::Address module through 1.909 for Perl can consume a large amount of resources on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").

References:

http://seclists.org/oss-sec/2018/q2/211
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901873

Comment 1 Andrej Nemec 2018-06-20 14:36:00 UTC
Created perl-Email-Address tracking bugs for this issue:

Affects: epel-6 [bug 1593320]
Affects: fedora-all [bug 1593319]

Comment 4 Tomas Hoger 2018-07-17 10:22:43 UTC
Upstream bug:

https://github.com/Perl-Email-Project/Email-Address/issues/19

Comment 6 Petr Pisar 2019-01-03 10:19:22 UTC
Email-Address-1.910 (1.911 and 1.912 updates a documentation) fixes this vulnerability by extensive use of independent subexpressions ("(?>pattern)" constructs) that prevents from undesired backtracking. An excerpt from the fix:

-my $cfws           = qr/$comment|\s+/;
+my $cfws           = qr/$comment|(?>\s+)/;


The exponential backtracking is the cause of this vulnerability and is indeed fixed:

[test@fedora-30 Email-Address-1.912]$ time perl -Ilib -e 'use Email::Address; Email::Address->parse("\f" x 30)'

real    0m0.017s
user    0m0.010s
sys     0m0.007s


Note You need to log in before you can comment on or make changes to this bug.