Skip Menu |

This queue is for tickets about the Email-AddressParser CPAN distribution.

Report information
The Basics
Id: 100448
Status: open
Priority: 0/
Queue: Email-AddressParser

Owner: Nobody in particular
Requestors: jonathan [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Subject: Format string vulnerability with MM_LOG usage
Date: Wed, 19 Nov 2014 10:59:40 -0500
To: bug-Email-AddressParser [...]
From: Jonathan Bastien-Filiatrault <jonathan [...]>
Download (untitled) / with headers
text/plain 964b
In rfc822_parse_adrlist: s = isalnum (c) ? "Must use comma to separate addresses: %.80s" : "Unexpected characters at end of address: %.80s"; sprintf (tmp,s,string); MM_LOG (tmp,PARSE); After the sprintf call, tmp contains part of a user-supplied string which may contain printf style formatting instructions. tmp is then passed as a format argument to MM_LOG which is a wrapper around fprintf. Since MM_LOG is never passed additional arguments, it is not useful to treat the string argument as a format string. Redefining MM_LOG like this would close this vulnerability. Original: #define MM_LOG(a,b) fprintf(stderr, a) Modified: #define MM_LOG(a,b) fputs(a, stderr) Thanks for looking into this, Jonathan -- Logo ZEROSPAM Jonathan Bastien-Filiatrault Administrateur de système System Administrator T : 514-527-3232 x 209 F : 514-527-1201 <>
Subject: [ #100448] Unable to build using default debhelper
Date: Mon, 29 Dec 2014 14:32:27 +0000
To: bug-Email-AddressParser [...]
From: Andrew Beverley <andy [...]>
Download (untitled) / with headers
text/plain 256b
Is there any chance of getting this fixed please? It's preventing automatic building with Debian, as debhelper appears to use -Werror=format-security by default, which forces the build to fail with this potential security problem highlighted. Thanks!

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to