[MIR] libemail-simple-perl ( libemail-mime-perl dependency as libmail-dmarc-perl dependency)

Review for Source Package: libemail-simple-perl

[Summary]
A Perl module to parse RFC2822 email headers and message format.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: libemail-simple-perl
Specific binary packages built, but NOT to be promoted to main: None

Notes:
#0 I'm requesting security review, due to the package parsing random email data.

Required TODOs:
#1 libmailtools-perl looks like a potential duplicate
=> Please differentiate the two or consider if this could be used instead.

Recommended TODOs:
#2 The package should get a team bug subscriber before being promoted
#3 Upstream & Debian/Ubuntu update history is sporadic
=> Maybe we can do a better job of at least packaging new versions in a timely
   manner, once this is in main. There are not too frequent releases upstream.

[Duplication]
$ rmadison -c main -s mantic {libmailtools-perl,libemail-address-perl,libcourriel-perl,libmail-rfc822-address-perl}
 libmailtools-perl | 2.21-2 | mantic | source, all

Problems:
- libmailtools-perl looks like a potential duplicate, could you please differentiate the two or consider if this could be used instead?

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- does not parse data formats (emails, headers, RFC2822) from an untrusted source.
- does not process arbitrary web content (can emails be considered as such?)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- Not a Python package
- Not a Go package

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carr...

Incomplete, as I'd like to clarify the potential duplicate. But I'm already moving it towards security review.

> Required TODOs:
> #1 libmailtools-perl looks like a potential duplicate
> => Please differentiate the two or consider if this could be used instead.

That is a good question, they are actually not the same but the same. Let me explain.
There are two mail stacks in perl `libmail` and `libemail`.

libmail*
libmail-authenticationresults-perl - object oriented Authentication-Results headers
libmail-dkim-perl - module to cryptographically identify the sender of email
libmail-sendmail-perl - simple way to send email from a perl script
libmail-spf-perl - Perl implementation of Sender Policy Framework and Sender ID
libmailtools-perl - modules to manipulate email in perl programs
libmail-box-imap4-perl - perl module for handling of IMAP4 folders as client
libmail-box-perl - message-folder management module
libmail-box-pop3-perl - POP3 handler for Mail::Box
libmail-bulkmail-perl - Platform independent mailing list module
libmail-checkuser-perl - Perl module for checking email addresses for validity
libmail-chimp3-perl - interface to mailchimp.com's RESTful Web API v3
libmail-deliverystatus-bounceparser-perl - module for analyzing bounce messages
libmail-dmarc-perl - Perl implementation of DMARC
libmail-field-received-perl - mostly RFC822-compliant parser of Received headers
libmail-gnupg-perl - Perl module for processing email with GPG
libmail-imapclient-perl - Perl library for manipulating IMAP mail stores
libmail-imaptalk-perl - IMAP client interface with lots of features
libmail-listdetector-perl - module for detecting mailing list messages
libmail-mbox-messageparser-perl - Perl module for processing mbox folders
libmail-mboxparser-perl - module providing read-only access to UNIX mailboxes
libmail-message-perl - generic class representing mail messages (perl library)
libmail-milter-perl - Perl extension modules for mail filtering via milter
libmail-pop3client-perl - POP3 client module for perl
libmail-rbl-perl - Perl extension to access RBL-style host verification services
libmail-rfc822-address-perl - Perl extension for validating email addresses
libmail-sendeasy-perl - Perl module to send plain/html e-mails through SMTP servers
libmail-spf-xs-perl - library for validating mail senders with SPF - Perl bindings
libmail-srs-perl - interface to Sender Rewriting Scheme
libmail-thread-perl - library for threading email by In-Reply-To and References
libmail-transport-perl - perl library for sending email
libmail-verify-perl - Utility to verify an email address
libmail-verp-perl - Variable Envelope Return Paths (VERP) address encoder/decoder

libemail*
libemail-address-xs-perl - Perl library for RFC 5322 address/group parsing and formatting
libemail-date-format-perl - Module to generate RFC-2822-valid date strings
libemail-abstract-perl - unified interface to mail representations
libemail-address-list-perl - RFC close address list parsing
libemail-address-perl - Perl module for RFC 2822 address parsing and creation
libemail-date-perl - Perl module for correct formatting of dates in emails
libemail-filter-perl - library for creating easy email filters
libemail-find-perl - module to find RFC 822 email addresses in plain text
libemail-folder-perl - Perl m...

Agreed to be no duplicate in MIR meeting, setting to "new".
it is already in the security queue.

TODO #2: Server Team's subscription to the bug requested on the MP attached to the bug.
TODO #3: I agree.

I reviewed `libemail-simple-perl` `2.218-1` as checked into mantic. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.

`libemail-simple-perl` is a Perl module that deals with parsing RFC2822 headers
and message format. The RFC defined the syntax for text-based "electronic mail"
messages. It obsoleted RFC 822 and was obsoleted by RFC 5322.

The package provides a Perl module that exposes an object with two constructors:
- `Email::Simple->new`, which parses a string that represents the email; and
- `Email::Simple->create`, which takes multiple parameters for each
characteristic of the email (for example, `body`).

All members and methods of the object are listed here:
https://metacpan.org/pod/Email::Simple#METHODS.

- CVE History
  - No CVE assigned
  - There is no security issue listed in the `CHANGELOG` or reported in the
GitHub issues (`rjbs/Email-Simple`).
  - In the past, there were algorithmic complexity issues
(`rjbs/Email-Simple#8` and `8b6843d55296783ba28e679a877853dff5a17be6`) that
eventually ended up impacting the availability of the module and the
applications using it. These were fixed rapidly and with minimal changes, so
they imply minimal security concerns.
- Build-Depends
  - The single dependency that the module has is `libemail-date-format-perl`.
It is only called once, for getting an RFC 2822-formatted date string.
- pre/post inst/rm scripts
  - N/A
- init scripts
  - N/A
- systemd units
  - N/A
- dbus services
  - N/A
- setuid binaries
  - N/A
- binaries in PATH
  - N/A
- sudo fragments
  - N/A
- polkit files
  - N/A
- udev rules
  - N/A
- unit tests / autopkgtests
  - N/A
- cron jobs
  - N/A
- Build logs
  - N/A

- Processes spawned
  - N/A
- Memory management
  - N/A
- File IO
  - The module operates only with parameters (for example, the email to be
parsed), so no files are involved at all in the code of the module.
  - Files are opened only in the tests from the `t/` folder.
- Logging
  - The module uses `croak()` and `carp()` from the `Carp` module to create
warnings or errors. The original filename and line number (pointing to the
implementation of the library) are changed with the details of the caller from
the user script.
- Environment variable usage
  - N/A
- Use of privileged functions
  - N/A
- Use of cryptography / random number sources etc
  - N/A
- Use of temp files
  - N/A
- Use of networking
  - N/A
- Use of WebKit
  - N/A
- Use of PolicyKit
  - N/A

- Any significant cppcheck results
  - N/A
- Any significant Coverity results
  - Coverity doesn't have support for Perl (as per Coverity's SAT-27514 ticket).
- Any significant shellcheck results
  - N/A
- Any significant bandit results
  - N/A
- Any significant govulncheck results
  - N/A
- Any significant Semgrep results
  - N/A

Another aspect that was checked is the Regex processing (matching, splitting,
and substitution). The points at which injections may have been leading to a
Regex-based denial of service (ReDoS) were dynamically tested. They are safe.

The audit also leveraged fuzzing with an instrumented build of the Perl
interpreter, a custom harness, and AFL++. No issue was detected during the
...

This seems ready for promotion

It is and it is also in component mismatches now, updating state

Full stack ready, all dependencies seen in component mismatches, FFE approved, MIR approved, only the top level change pulling this in is in -proposed and ready there other than this mismatch -> promoting.

Override component to main
libemail-simple-perl 2.218-1 in noble: universe/perl -> main
libemail-simple-perl 2.218-1 in noble amd64: universe/perl/optional/100% -> main
libemail-simple-perl 2.218-1 in noble arm64: universe/perl/optional/100% -> main
libemail-simple-perl 2.218-1 in noble armhf: universe/perl/optional/100% -> main
libemail-simple-perl 2.218-1 in noble i386: universe/perl/optional/100% -> main
libemail-simple-perl 2.218-1 in noble ppc64el: universe/perl/optional/100% -> main
libemail-simple-perl 2.218-1 in noble riscv64: universe/perl/optional/100% -> main
libemail-simple-perl 2.218-1 in noble s390x: universe/perl/optional/100% -> main
Override [y|N]? y
8 publications overridden.