Overview

File bnc883225.patch of Package perl-Email-Address.openSUSE_13.1_Update

From: T.M. Abraham <tabraham@suse.com>
Date: 2014-10-07 09:12:59.593190255 -0400
Subject: Denial-of-Service in Email::Address::parse (CVE-2014-0477)
References: bnc#883225 CVE-2014-0477
Upstream: No

Email::Address::parse uses significant time on parsing empty quoted string

---
 lib/Email/Address.pm |   14 +++++++++++---
 t/test.t             |   14 ++++++++++++--
 2 files changed, 23 insertions(+), 5 deletions(-)

--- Email-Address-1.899/lib/Email/Address.pm	2013-08-02 10:53:21.000000000 -0400
+++ Email-Address-1.899/lib/Email/Address.pm	2014-10-06 16:06:53.323400156 -0400
@@ -33,7 +33,7 @@
 
 my $qtext          = qr/[^\\"]/;
 my $qcontent       = qr/$qtext|$quoted_pair/;
-my $quoted_string  = qr/$cfws*"$qcontent+"$cfws*/;
+my $quoted_string  = qr/$cfws*"$qcontent*"$cfws*/;
 
 my $word           = qr/$atom|$quoted_string/;
 
@@ -65,7 +65,7 @@
 
 our $addr_spec  = qr/$local_part\@$domain/;
 our $angle_addr = qr/$cfws*<$addr_spec>$cfws*/;
-our $name_addr  = qr/$display_name?$angle_addr/;
+our $name_addr  = qr/(?>$display_name?)$angle_addr/;
 our $mailbox    = qr/(?:$name_addr|$addr_spec)$comment*/;
 
 sub _PHRASE   () { 0 }
@@ -74,6 +74,14 @@
 sub _ORIGINAL () { 3 }
 sub _IN_CACHE () { 4 }
 
+sub __dump {
+  return {
+    phrase    => $_[0][_PHRASE],
+    address   => $_[0][_ADDRESS],
+    comment   => $_[0][_COMMENT],
+    original  => $_[0][_ORIGINAL],
+  }
+}
 
 our (%PARSE_CACHE, %FORMAT_CACHE, %NAME_CACHE);
 my $NOCACHE;
@@ -114,7 +122,7 @@
       s/$comment//go if @comments;
 
       my ($user, $host, $com);
-      ($user, $host) = ($1, $2) if s/<($local_part)\@($domain)>//o;
+      ($user, $host) = ($1, $2) if s/<($local_part)\@($domain)>\s*\z//o;
       if (! defined($user) || ! defined($host)) {
           s/($local_part)\@($domain)//o;
           ($user, $host) = ($1, $2);
--- Email-Address-1.899/t/tests.t	2013-08-02 10:53:21.000000000 -0400
+++ Email-Address-1.899/t/test.t	2014-10-06 16:24:20.683328538 -0400
@@ -678,7 +678,7 @@
     '"<advocacy-- ATAT --p.example.org>" <advocacy-- ATAT --p.example.org>',
     [
       [
-        'advocacy',
+        '<advocacy-- ATAT --p.example.org>',
         'advocacy-- ATAT --p.example.org',
         undef
       ]
@@ -1618,7 +1618,17 @@
         undef,
       ],
     ],
-  ]
+    [
+      q{"<fake-- ATAT --bogus.biz>" <real-- ATAT --actual.mil>},
+      [
+        [
+          '<fake-- ATAT --bogus.biz>',
+          'real-- ATAT --actual.mil',
+          undef,
+        ],
+      ],
+    ],
+  ]
 );
 
 my $tests = 1;
openSUSE Build Service is sponsored by
Places