Vigil@nce - Perl Email-Address: denial of service via nested comments
November 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send emails containing nested email address
comments, to a program using the Perl Email::Address module, in
order to trigger a denial of service.
– Impacted products: Perl Module not comprehensive.
– Severity: 2/4.
– Creation date: 28/09/2015.
DESCRIPTION OF THE VULNERABILITY
The Perl Email::Address module is used to analyze email addresses.
The chapter 3.2.3 of RFC 2822 allows nested comments. For example:
test@example.com (comment 1 (comment 2))
However, when Email::Address->parse() analyzes an email address
containing several nested comments, the CPU is overloaded.
An attacker can therefore send emails containing nested email
address comments, to a program using the Perl Email::Address
module, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Perl-Email-Address-denial-of-service-via-nested-comments-17988