A possible DoS issue may affect several MIME parsers. Messages with too many tiny nested MIME parts can lead to memory exhaustion on split(). References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960064 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960062 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960159 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960158
Upstream for perl-Email-MIME has a couple of trial releases out with mitigations for this; probably best to wait until a non-trial release that they're happy with is done.
FEDORA-2020-22764f623f has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-39d40d9ae9 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.
I tried to contact ruby-mail upstream but did not got any reply after initial response, I'm still not sure if upstream is considering it CVE worthy. @Paul, do you know if we have updates specifically for ruby-mail package (https://github.com/mikel/mail) by any chance? (and not perl-Email-MIME, libemail-mime-perl, libgmime or libemail-mime-contenttype-perl)
@Yadnyawalk, I've no idea about ruby-mail I'm afraid; my interest in this was regarding the perl modules, which I co-maintain.
Acknowledged. Understood. Thanks.
perl-Email-MIME-1.949-1.el8, perl-Email-MIME-ContentType-1.024-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.
Closing this NOTABUG since did not found sufficient data to make any flaw decision. Will re-open if we got any information on this or Product Security assembler will catch rubygem-mail issue anyways.