Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Fixes CVE-2018-18898 which is exposed by request-tracker4.
Candidate package deployed and working so far on a production system.
diff -Nru libemail-address-list-perl-0.05/debian/changelog
libemail-address-list-perl-0.05/debian/changelog
--- libemail-address-list-perl-0.05/debian/changelog 2014-02-16
23:26:24.000000000 +0000
+++ libemail-address-list-perl-0.05/debian/changelog 2019-02-07
15:18:41.000000000 +0000
@@ -1,3 +1,9 @@
+libemail-address-list-perl (0.05-1+deb9u1) UNRELEASED; urgency=medium
+
+ * [SECURITY] Fix DoS vulnerability CVE-2018-18898
+
+ -- Dominic Hargreaves <d...@earth.li> Thu, 07 Feb 2019 15:18:41 +0000
+
libemail-address-list-perl (0.05-1) unstable; urgency=medium
* Team upload.
diff -Nru libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch
libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch
--- libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch
1970-01-01 01:00:00.000000000 +0100
+++ libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch
2019-02-07 15:16:33.000000000 +0000
@@ -0,0 +1,96 @@
+diff --git a/lib/Email/Address/List.pm b/lib/Email/Address/List.pm
+index ac79577..130811a 100644
+--- a/lib/Email/Address/List.pm
++++ b/lib/Email/Address/List.pm
+@@ -201,36 +201,36 @@ $RE{'text'} = qr/[^\x0A\x0D]/;
+ $RE{'quoted_pair'} = qr/\\$RE{'text'}/;
+
+ $RE{'atext'} = qr/[^$RE{'CTL'}$RE{'special'}\s]/;
+-$RE{'ctext'} = qr/(?>[^()\\]+)/;
++$RE{'ctext'} = qr/[^()\\]++/;
+ $RE{'qtext'} = qr/[^\\"]/;
+ $RE{'dtext'} = qr/[^\[\]\\]/;
+
+ ($RE{'ccontent'}, $RE{'comment'}) = (q{})x2;
+ for (1 .. $COMMENT_NEST_LEVEL) {
+ $RE{'ccontent'} = qr/$RE{'ctext'}|$RE{'quoted_pair'}|$RE{'comment'}/;
+- $RE{'comment'} = qr/\s*\((?:\s*$RE{'ccontent'})*\s*\)\s*/;
++ $RE{'comment'} = qr/(?>\s*+\((?:\s*+$RE{'ccontent'})*+\s*+\)\s*+)/;
+ }
+-$RE{'cfws'} = qr/$RE{'comment'}|\s+/;
++$RE{'cfws'} = qr/$RE{'comment'}++|\s*+/;
+
+ $RE{'qcontent'} = qr/$RE{'qtext'}|$RE{'quoted_pair'}/;
+-$RE{'quoted-string'} = qr/$RE{'cfws'}*"$RE{'qcontent'}+"$RE{'cfws'}*/;
++$RE{'quoted-string'} = qr/$RE{'cfws'}"$RE{'qcontent'}*+"$RE{'cfws'}/;
+
+-$RE{'atom'} = qr/$RE{'cfws'}*$RE{'atext'}++$RE{'cfws'}*/;
++$RE{'atom'} = qr/$RE{'cfws'}$RE{'atext'}++$RE{'cfws'}/;
+
+-$RE{'word'} = qr/$RE{'cfws'}* (?: $RE{'atom'} | "$RE{'qcontent'}+"
) $RE{'cfws'}*/x;
++$RE{'word'} = qr/$RE{'atom'} | $RE{'quoted-string'}/x;
+ $RE{'phrase'} = qr/$RE{'word'}+/x;
+ $RE{'display-name'} = $RE{'phrase'};
+
+-$RE{'dot_atom_text'} = qr/$RE{'atext'}+(?:\.$RE{'atext'}+)*/;
+-$RE{'dot_atom'} = qr/$RE{'cfws'}*$RE{'dot_atom_text'}$RE{'cfws'}*/;
++$RE{'dot_atom_text'} = qr/$RE{'atext'}++(?:\.$RE{'atext'}++)*/;
++$RE{'dot_atom'} = qr/$RE{'cfws'}$RE{'dot_atom_text'}$RE{'cfws'}/;
+ $RE{'local-part'} = qr/$RE{'dot_atom'}|$RE{'quoted-string'}/;
+
+ $RE{'dcontent'} = qr/$RE{'dtext'}|$RE{'quoted_pair'}/;
+-$RE{'domain_literal'} =
qr/$RE{'cfws'}*\[(?:\s*$RE{'dcontent'})*\s*\]$RE{'cfws'}*/;
++$RE{'domain_literal'} =
qr/$RE{'cfws'}\[(?:\s*$RE{'dcontent'})*\s*\]$RE{'cfws'}/;
+ $RE{'domain'} = qr/$RE{'dot_atom'}|$RE{'domain_literal'}/;
+
+ $RE{'addr-spec'} = qr/$RE{'local-part'}\@$RE{'domain'}/;
+-$RE{'angle-addr'} = qr/$RE{'cfws'}* < $RE{'addr-spec'} > $RE{'cfws'}*/x;
++$RE{'angle-addr'} = qr/$RE{'cfws'} < $RE{'addr-spec'} > $RE{'cfws'}/x;
+
+ $RE{'name-addr'} = qr/$RE{'display-name'}?$RE{'angle-addr'}/;
+ $RE{'mailbox'} =
qr/(?:$RE{'name-addr'}|$RE{'addr-spec'})$RE{'comment'}*/;
+@@ -238,13 +238,13 @@ $RE{'mailbox'} =
qr/(?:$RE{'name-addr'}|$RE{'addr-spec'})$RE{'comment'}*/
+ $CRE{'addr-spec'} = qr/($RE{'local-part'})\@($RE{'domain'})/;
+ $CRE{'mailbox'} = qr/
+ (?:
+- ($RE{'display-name'})?($RE{'cfws'}*)<$CRE{'addr-spec'}>($RE{'cfws'}*)
++ ($RE{'display-name'})?($RE{'cfws'})<$CRE{'addr-spec'}>($RE{'cfws'})
+ |$CRE{'addr-spec'}
+- )($RE{'comment'}*)
++ )($RE{'comment'}*+)
+ /x;
+
+-$RE{'dword'} = qr/$RE{'cfws'}* (?: $RE{'atom'} | \. |
"$RE{'qcontent'}+" ) $RE{'cfws'}*/x;
+-$RE{'obs-phrase'} = qr/$RE{'word'} $RE{'dword'}*/x;
++$RE{'dword'} = qr/$RE{'cfws'} (?: $RE{'atom'} | \. |
"$RE{'qcontent'}++" ) $RE{'cfws'}/x;
++$RE{'obs-phrase'} = qr/$RE{'word'} $RE{'dword'}*+/x;
+ $RE{'obs-display-name'} = $RE{'obs-phrase'};
+ $RE{'obs-route'} = qr/
+ (?:$RE{'cfws'}|,)*
+@@ -259,9 +259,9 @@ $CRE{'obs-addr-spec'} =
qr/($RE{'obs-local-part'})\@($RE{'obs-domain'})/;
+ $CRE{'obs-mailbox'} = qr/
+ (?:
+ ($RE{'obs-display-name'})?
+- ($RE{'cfws'}*)< $RE{'obs-route'}? $CRE{'obs-addr-spec'}
>($RE{'cfws'}*)
++ ($RE{'cfws'})< $RE{'obs-route'}? $CRE{'obs-addr-spec'} >($RE{'cfws'})
+ |$CRE{'obs-addr-spec'}
+- )($RE{'comment'}*)
++ )($RE{'comment'}*+)
+ /x;
+
+ sub parse {
+@@ -331,12 +331,12 @@ sub parse {
+ # if we got here then something unknown on our way
+ # try to recorver
+ if ($in_group) {
+- if ( $line =~
s/^([^;,"\)]*(?:(?:$RE{'quoted-string'}|$RE{'comment'})[^;,"\)]*)*)(?=;|,)//o )
{
++ if ( $line =~
s/^([^;,"\)]*+(?:(?:$RE{'quoted-string'}|$RE{'comment'})[^;,"\)]*+)*+)(?=;|,)//o
) {
+ push @res, { type => 'unknown', value => $1 } unless
$args{'skip_unknown'};
+ next;
+ }
+ } else {
+- if ( $line =~
s/^([^,"\)]*(?:(?:$RE{'quoted-string'}|$RE{'comment'})[^,"\)]*)*)(?=,)//o ) {
++ if ( $line =~
s/^([^,"\)]*+(?:(?:$RE{'quoted-string'}|$RE{'comment'})[^,"\)]*+)*+)(?=,)//o ) {
+ push @res, { type => 'unknown', value => $1 } unless
$args{'skip_unknown'};
+ next;
+ }
diff -Nru libemail-address-list-perl-0.05/debian/patches/series
libemail-address-list-perl-0.05/debian/patches/series
--- libemail-address-list-perl-0.05/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ libemail-address-list-perl-0.05/debian/patches/series 2019-02-07
15:17:54.000000000 +0000
@@ -0,0 +1 @@
+CVE-2018-18898.patch
