Bug #100448 for Email-AddressParser: Format string vulnerability with MM

Wed Nov 19 10:59:52 2014 jonathan [...] zerospam.ca - Ticket created

Subject:	Format string vulnerability with MM_LOG usage
Date:	Wed, 19 Nov 2014 10:59:40 -0500
To:	bug-Email-AddressParser [...] rt.cpan.org
From:	Jonathan Bastien-Filiatrault <jonathan [...] zerospam.ca>

In rfc822_parse_adrlist: s = isalnum (c) ? "Must use comma to separate addresses: %.80s" : "Unexpected characters at end of address: %.80s"; sprintf (tmp,s,string); MM_LOG (tmp,PARSE); After the sprintf call, tmp contains part of a user-supplied string which may contain printf style formatting instructions. tmp is then passed as a format argument to MM_LOG which is a wrapper around fprintf. Since MM_LOG is never passed additional arguments, it is not useful to treat the string argument as a format string. Redefining MM_LOG like this would close this vulnerability. Original: #define MM_LOG(a,b) fprintf(stderr, a) Modified: #define MM_LOG(a,b) fputs(a, stderr) Thanks for looking into this, Jonathan -- Logo ZEROSPAM Jonathan Bastien-Filiatrault Administrateur de système System Administrator T : 514-527-3232 x 209 F : 514-527-1201 jonathan.bastien-filiatrault@zerospam.ca <mailto:jonathan.bastien-filiatrault@zerospam.ca>

Download zp_logo_email.jpg
image/jpeg 6.4k

Mon Dec 29 09:32:36 2014 andy [...] andybev.com - Correspondence added

Subject:	[rt.cpan.org #100448] Unable to build using default debhelper
Date:	Mon, 29 Dec 2014 14:32:27 +0000
To:	bug-Email-AddressParser [...] rt.cpan.org
From:	Andrew Beverley <andy [...] andybev.com>

Is there any chance of getting this fixed please? It's preventing automatic building with Debian, as debhelper appears to use -Werror=format-security by default, which forces the build to fail with this potential security problem highlighted. Thanks!

Mon Dec 29 09:32:36 2014 The RT System itself - Status changed from 'new' to 'open'

Bug #100448 for Email-AddressParser: Format string vulnerability with MM_LOG usage