Summary
Bastian Blank reported a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation.
Email::Address::parse used significant time on parsing empty quoted strings. A remote attacker able to supply specifically crafted input to an application using Email::Address for parsing, could use this flaw to mount a denial of service attack against the application.
Solution
For the stable distribution (wheezy), this problem has been fixed in version 1.895-1+deb7u1.
For the testing distribution (jessie), this problem has been fixed in version 1.905-1.
For the unstable distribution (sid), this problem has been fixed in version 1.905-1.
We recommend that you upgrade your libemail-address-perl packages.
Insight
Email::Address implements a complete RFC 2822 parser that locates email addresses in strings and returns a list of Email::Address objects found. Alternatively you may construct objects manually. The goal of this software is to be correct, and very very fast.
Affected
libemail-address-perl on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-0477 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:N/A:P
Related Vulnerabilities