pkg-perl-maintainers team mailing list archive

Thread
Date
[Bug 2030880] Re: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency)

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Miha Purg <2030880@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Mar 2024 15:54:26 -0000
Reply-to: Bug 2030880 <2030880@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
I reviewed libemail-mime-perl 1.953-1 as checked into noble.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

libemail-mime-perl is a Perl module (Email::MIME), an extension of the
Email::Simple module, to handle MIME encoded messages. It takes a message
as a string, splits it up into its constituent parts, and allows one to access
to various parts of the message. Headers are decoded from MIME encoding.

The main use of the module is libmail-dmarc-perl (a dependency for Spamassassin),
specifically, its *reporting* functionality, as implemented in the command-line
tools `dmarc_receive` and `dmarc_send`. 
Although the module is loaded automatically when using any libmail-dmarc-perl,
Spamassassin itself does not use the MIME functionality.

- CVE History
  - No reported CVEs
  - Open security issues:
    - https://github.com/rjbs/Email-MIME/issues/66
      (largely fixed - there are potentially still unresolved issues, see below)

- Build-Depends
  - This library is an extension of the `Email::Simple` library (same maintainer),
    which already received a conditional ACK:
    - https://github.com/rjbs/Email-Simple
    - https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
  - For processing of data it largely depends on the `Email::MIME::ContentType`,
    `Email::MessageID` and `Email::MIME::Encodings` libraries (mostly same maintainer)
    which are also undergoing an MIR review but were not assigned a security review:
    - https://github.com/rjbs/Email-MIME-ContentType
    - https://github.com/rjbs/Email-MIME-Encodings
    - https://github.com/rjbs/Email-MessageID
    - https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
    - https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
    - https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
    - https://metacpan.org/pod/Text::Unidecode
    - https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
  - The processing of data in libemail-mime-perl to a large extent relies on external
    dependecies above, which are not in scope of this review. Despite this the parsing and
    validation of MIME attributes was briefly reviewed in libemail-mime-contenttype-perl.
- pre/post inst/rm scripts
  - none
- init scripts
  - none
- systemd units
  - none
- dbus services
  - none
- setuid binaries
  - none
- binaries in PATH
  - none
- sudo fragments
  - none
- polkit files
  - none
- udev rules
  - none
- unit tests / autopkgtests
  - All unit tests pass locally
- cron jobs
  - none
- Build logs
  - none

- Processes spawned
  - none
- Memory management
  - none
- File IO
  - none
- Logging
  - none
- Environment variable usage
  - none
- Use of privileged functions
  - none
- Use of cryptography / random number sources etc
  - none
- Use of temp files
  - none
- Use of networking
  - The library is used as an extension to Email::Simple to create and parse email
    MIME parts, thus its main function is the processing of potentially unsafe
    data from untrusted external sources - email, 
  - The main use of the library is `libmail-dmarc-perl` (a dependency for Spamassassin),
    specifically, its *reporting* functionality as implemented in the command-line
    tools `dmarc_receive` and `dmarc_send`. Thus the threat model is *limited* to
    the use of these tools and the interaction of the tools with malicious emails.
  - MIME attributes are parsed in the external module `Email::MIME::ContentType`.
    Basic regex validation of the attributes is performed.
  - Parsing of MIME parts is prone to DoS via memory exhaustion as demonstrated in
    https://github.com/rjbs/Email-MIME/issues/66
    The issue with respect to nested parts has been fixed since v1.953, however,
    the exhaustion from parsing many small parts is still present. See below
    for proof of concept.
- Use of WebKit
  - none
- Use of PolicyKit
  - none

- Any significant cppcheck results
  - none
- Any significant Coverity results
  - none
- Any significant shellcheck results
  - none
- Any significant bandit results
  - none
- Any significant govulncheck results
  - none
- Any significant Semgrep results
  - none

The threat model includes the processing of external untrusted emails
containing malicious MIME contents, which could subvert program flow and
lead to denial of service or possibly remote-code execution.

Because the only current use of the module is libmail-dmarc-perl, the
threat model is limited to its command-line tools `dmarc_receive` and
`dmarc_send`, specifically the former, which processes external DMARC
report emails with potentially malicious MIME contents.

The previously reported flaw related to exhaustion of memory when 
parsing many and nested MIME parts was reanalysed and was confirmed
to not be fully fixed:
https://github.com/rjbs/Email-MIME/issues/66#issuecomment-2024085120

The general concern regarding promotion to main is that upstream might not be
responsive for support in patching security vulnerabilities. The updates to the
code have been relatively infrequent (https://metacpan.org/dist/Email-MIME/changes),
there are 13 open issues 2014, including a presumed-fixed security issue 
(https://github.com/rjbs/Email-MIME/issues/66), and there is no security.md
document. 

With that said, the threat model is limited and promotion to main does not pose
a significant risk. Security team conditionally ACK for promoting libemail-mime-perl to main,
under the same conditions as libemail-simple. The owning team (namely, the
Ubuntu Server Team) needs to commit to the development and testing of security
patches for all Ubuntu releases if we lack upstream support. In addition, the same team
should ask for demoting the package if a more suitable package can be used as
an alternative for libemail-mime-perl.

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libemail-mime-perl in Ubuntu.
https://bugs.launchpad.net/bugs/2030880

Title:
  [MIR] libemail-mime-perl (libmail-dmarc-perl dependency)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880/+subscriptions