Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Fixes CVE-2018-18898 which is exposed by request-tracker4. Candidate package deployed and working so far on a production system.
diff -Nru libemail-address-list-perl-0.05/debian/changelog libemail-address-list-perl-0.05/debian/changelog --- libemail-address-list-perl-0.05/debian/changelog 2014-02-16 23:26:24.000000000 +0000 +++ libemail-address-list-perl-0.05/debian/changelog 2019-02-07 15:18:41.000000000 +0000 @@ -1,3 +1,9 @@ +libemail-address-list-perl (0.05-1+deb9u1) UNRELEASED; urgency=medium + + * [SECURITY] Fix DoS vulnerability CVE-2018-18898 + + -- Dominic Hargreaves <d...@earth.li> Thu, 07 Feb 2019 15:18:41 +0000 + libemail-address-list-perl (0.05-1) unstable; urgency=medium * Team upload. diff -Nru libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch --- libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch 1970-01-01 01:00:00.000000000 +0100 +++ libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch 2019-02-07 15:16:33.000000000 +0000 @@ -0,0 +1,96 @@ +diff --git a/lib/Email/Address/List.pm b/lib/Email/Address/List.pm +index ac79577..130811a 100644 +--- a/lib/Email/Address/List.pm ++++ b/lib/Email/Address/List.pm +@@ -201,36 +201,36 @@ $RE{'text'} = qr/[^\x0A\x0D]/; + $RE{'quoted_pair'} = qr/\\$RE{'text'}/; + + $RE{'atext'} = qr/[^$RE{'CTL'}$RE{'special'}\s]/; +-$RE{'ctext'} = qr/(?>[^()\\]+)/; ++$RE{'ctext'} = qr/[^()\\]++/; + $RE{'qtext'} = qr/[^\\"]/; + $RE{'dtext'} = qr/[^\[\]\\]/; + + ($RE{'ccontent'}, $RE{'comment'}) = (q{})x2; + for (1 .. $COMMENT_NEST_LEVEL) { + $RE{'ccontent'} = qr/$RE{'ctext'}|$RE{'quoted_pair'}|$RE{'comment'}/; +- $RE{'comment'} = qr/\s*\((?:\s*$RE{'ccontent'})*\s*\)\s*/; ++ $RE{'comment'} = qr/(?>\s*+\((?:\s*+$RE{'ccontent'})*+\s*+\)\s*+)/; + } +-$RE{'cfws'} = qr/$RE{'comment'}|\s+/; ++$RE{'cfws'} = qr/$RE{'comment'}++|\s*+/; + + $RE{'qcontent'} = qr/$RE{'qtext'}|$RE{'quoted_pair'}/; +-$RE{'quoted-string'} = qr/$RE{'cfws'}*"$RE{'qcontent'}+"$RE{'cfws'}*/; ++$RE{'quoted-string'} = qr/$RE{'cfws'}"$RE{'qcontent'}*+"$RE{'cfws'}/; + +-$RE{'atom'} = qr/$RE{'cfws'}*$RE{'atext'}++$RE{'cfws'}*/; ++$RE{'atom'} = qr/$RE{'cfws'}$RE{'atext'}++$RE{'cfws'}/; + +-$RE{'word'} = qr/$RE{'cfws'}* (?: $RE{'atom'} | "$RE{'qcontent'}+" ) $RE{'cfws'}*/x; ++$RE{'word'} = qr/$RE{'atom'} | $RE{'quoted-string'}/x; + $RE{'phrase'} = qr/$RE{'word'}+/x; + $RE{'display-name'} = $RE{'phrase'}; + +-$RE{'dot_atom_text'} = qr/$RE{'atext'}+(?:\.$RE{'atext'}+)*/; +-$RE{'dot_atom'} = qr/$RE{'cfws'}*$RE{'dot_atom_text'}$RE{'cfws'}*/; ++$RE{'dot_atom_text'} = qr/$RE{'atext'}++(?:\.$RE{'atext'}++)*/; ++$RE{'dot_atom'} = qr/$RE{'cfws'}$RE{'dot_atom_text'}$RE{'cfws'}/; + $RE{'local-part'} = qr/$RE{'dot_atom'}|$RE{'quoted-string'}/; + + $RE{'dcontent'} = qr/$RE{'dtext'}|$RE{'quoted_pair'}/; +-$RE{'domain_literal'} = qr/$RE{'cfws'}*\[(?:\s*$RE{'dcontent'})*\s*\]$RE{'cfws'}*/; ++$RE{'domain_literal'} = qr/$RE{'cfws'}\[(?:\s*$RE{'dcontent'})*\s*\]$RE{'cfws'}/; + $RE{'domain'} = qr/$RE{'dot_atom'}|$RE{'domain_literal'}/; + + $RE{'addr-spec'} = qr/$RE{'local-part'}\@$RE{'domain'}/; +-$RE{'angle-addr'} = qr/$RE{'cfws'}* < $RE{'addr-spec'} > $RE{'cfws'}*/x; ++$RE{'angle-addr'} = qr/$RE{'cfws'} < $RE{'addr-spec'} > $RE{'cfws'}/x; + + $RE{'name-addr'} = qr/$RE{'display-name'}?$RE{'angle-addr'}/; + $RE{'mailbox'} = qr/(?:$RE{'name-addr'}|$RE{'addr-spec'})$RE{'comment'}*/; +@@ -238,13 +238,13 @@ $RE{'mailbox'} = qr/(?:$RE{'name-addr'}|$RE{'addr-spec'})$RE{'comment'}*/ + $CRE{'addr-spec'} = qr/($RE{'local-part'})\@($RE{'domain'})/; + $CRE{'mailbox'} = qr/ + (?: +- ($RE{'display-name'})?($RE{'cfws'}*)<$CRE{'addr-spec'}>($RE{'cfws'}*) ++ ($RE{'display-name'})?($RE{'cfws'})<$CRE{'addr-spec'}>($RE{'cfws'}) + |$CRE{'addr-spec'} +- )($RE{'comment'}*) ++ )($RE{'comment'}*+) + /x; + +-$RE{'dword'} = qr/$RE{'cfws'}* (?: $RE{'atom'} | \. | "$RE{'qcontent'}+" ) $RE{'cfws'}*/x; +-$RE{'obs-phrase'} = qr/$RE{'word'} $RE{'dword'}*/x; ++$RE{'dword'} = qr/$RE{'cfws'} (?: $RE{'atom'} | \. | "$RE{'qcontent'}++" ) $RE{'cfws'}/x; ++$RE{'obs-phrase'} = qr/$RE{'word'} $RE{'dword'}*+/x; + $RE{'obs-display-name'} = $RE{'obs-phrase'}; + $RE{'obs-route'} = qr/ + (?:$RE{'cfws'}|,)* +@@ -259,9 +259,9 @@ $CRE{'obs-addr-spec'} = qr/($RE{'obs-local-part'})\@($RE{'obs-domain'})/; + $CRE{'obs-mailbox'} = qr/ + (?: + ($RE{'obs-display-name'})? +- ($RE{'cfws'}*)< $RE{'obs-route'}? $CRE{'obs-addr-spec'} >($RE{'cfws'}*) ++ ($RE{'cfws'})< $RE{'obs-route'}? $CRE{'obs-addr-spec'} >($RE{'cfws'}) + |$CRE{'obs-addr-spec'} +- )($RE{'comment'}*) ++ )($RE{'comment'}*+) + /x; + + sub parse { +@@ -331,12 +331,12 @@ sub parse { + # if we got here then something unknown on our way + # try to recorver + if ($in_group) { +- if ( $line =~ s/^([^;,"\)]*(?:(?:$RE{'quoted-string'}|$RE{'comment'})[^;,"\)]*)*)(?=;|,)//o ) { ++ if ( $line =~ s/^([^;,"\)]*+(?:(?:$RE{'quoted-string'}|$RE{'comment'})[^;,"\)]*+)*+)(?=;|,)//o ) { + push @res, { type => 'unknown', value => $1 } unless $args{'skip_unknown'}; + next; + } + } else { +- if ( $line =~ s/^([^,"\)]*(?:(?:$RE{'quoted-string'}|$RE{'comment'})[^,"\)]*)*)(?=,)//o ) { ++ if ( $line =~ s/^([^,"\)]*+(?:(?:$RE{'quoted-string'}|$RE{'comment'})[^,"\)]*+)*+)(?=,)//o ) { + push @res, { type => 'unknown', value => $1 } unless $args{'skip_unknown'}; + next; + } diff -Nru libemail-address-list-perl-0.05/debian/patches/series libemail-address-list-perl-0.05/debian/patches/series --- libemail-address-list-perl-0.05/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libemail-address-list-perl-0.05/debian/patches/series 2019-02-07 15:17:54.000000000 +0000 @@ -0,0 +1 @@ +CVE-2018-18898.patch