Ubuntu
libemail-simple-perl package

Bug #2031491
Comment #6

Comment 6 for bug 2031491

Revision history for this message

George-Andrei Iosif (iosifache) wrote on 2024-01-25:

I reviewed `libemail-simple-perl` `2.218-1` as checked into mantic. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.

`libemail-simple-perl` is a Perl module that deals with parsing RFC2822 headers
and message format. The RFC defined the syntax for text-based "electronic mail"
messages. It obsoleted RFC 822 and was obsoleted by RFC 5322.

The package provides a Perl module that exposes an object with two constructors:
- `Email::Simple->new`, which parses a string that represents the email; and
- `Email::Simple->create`, which takes multiple parameters for each
characteristic of the email (for example, `body`).

All members and methods of the object are listed here:
https://metacpan.org/pod/Email::Simple#METHODS.

- CVE History
  - No CVE assigned
  - There is no security issue listed in the `CHANGELOG` or reported in the
GitHub issues (`rjbs/Email-Simple`).
  - In the past, there were algorithmic complexity issues
(`rjbs/Email-Simple#8` and `8b6843d55296783ba28e679a877853dff5a17be6`) that
eventually ended up impacting the availability of the module and the
applications using it. These were fixed rapidly and with minimal changes, so
they imply minimal security concerns.
- Build-Depends
  - The single dependency that the module has is `libemail-date-format-perl`.
It is only called once, for getting an RFC 2822-formatted date string.
- pre/post inst/rm scripts
  - N/A
- init scripts
  - N/A
- systemd units
  - N/A
- dbus services
  - N/A
- setuid binaries
  - N/A
- binaries in PATH
  - N/A
- sudo fragments
  - N/A
- polkit files
  - N/A
- udev rules
  - N/A
- unit tests / autopkgtests
  - N/A
- cron jobs
  - N/A
- Build logs
  - N/A

- Processes spawned
  - N/A
- Memory management
  - N/A
- File IO
  - The module operates only with parameters (for example, the email to be
parsed), so no files are involved at all in the code of the module.
  - Files are opened only in the tests from the `t/` folder.
- Logging
  - The module uses `croak()` and `carp()` from the `Carp` module to create
warnings or errors. The original filename and line number (pointing to the
implementation of the library) are changed with the details of the caller from
the user script.
- Environment variable usage
  - N/A
- Use of privileged functions
  - N/A
- Use of cryptography / random number sources etc
  - N/A
- Use of temp files
  - N/A
- Use of networking
  - N/A
- Use of WebKit
  - N/A
- Use of PolicyKit
  - N/A

- Any significant cppcheck results
  - N/A
- Any significant Coverity results
  - Coverity doesn't have support for Perl (as per Coverity's SAT-27514 ticket).
- Any significant shellcheck results
  - N/A
- Any significant bandit results
  - N/A
- Any significant govulncheck results
  - N/A
- Any significant Semgrep results
  - N/A

Another aspect that was checked is the Regex processing (matching, splitting,
and substitution). The points at which injections may have been leading to a
Regex-based denial of service (ReDoS) were dynamically tested. They are safe.

The audit also leveraged fuzzing with an instrumented build of the Perl
interpreter, a custom harness, and AFL++. No issue was detected during the
fuzzing session.

The repository has a few commits and issues. Since 2018, those have been fewer
and fewer (https://github.com/rjbs/Email-Simple/blob/main/Changes), and the
issues starting from that year are still unresolved
(https://github.com/rjbs/Email-Simple/issues?q=is%3Aopen+is%3Aissue). Combining
this information with the lack of a security policy, private reporting, README,
licence, and contact information, it is unclear how well the repository is
maintained and if the maintainer can promptly respond to future security issues
in the package.

Despite the codebase doesn't raise immediate security concerns that may block
the MIR process, the Security team proposes a conditional ACK for promoting
`libemail-simple-perl` into main. The owning team (namely, the Ubuntu Server
Team) needs to commit to the development and testing of security patches for
all Ubuntu releases if we lack upstream support. In addition, the same team
should ask for demoting the package if a more suitable package can be used as
an alternative for `libemail-simple-perl`.

Thanks!

I reviewed `libemail-simple-perl` `2.218-1` as checked into mantic. This 
shouldn't be considered a full audit but rather a quick gauge of 
maintainability.

`libemail-simple-perl` is a Perl module that deals with parsing RFC2822 headers 
and message format. The RFC defined the syntax for text-based "electronic mail" 
messages. It obsoleted RFC 822 and was obsoleted by RFC 5322.

The package provides a Perl module that exposes an object with two constructors:
- `Email::Simple->new`, which parses a string that represents the email; and
- `Email::Simple->create`, which takes multiple parameters for each 
characteristic of the email (for example, `body`).

All members and methods of the object are listed here: 
https://metacpan.org/pod/Email::Simple#METHODS.

- CVE History
  - No CVE assigned
  - There is no security issue listed in the `CHANGELOG` or reported in the 
GitHub issues (`rjbs/Email-Simple`).
  - In the past, there were algorithmic complexity issues 
(`rjbs/Email-Simple#8` and `8b6843d55296783ba28e679a877853dff5a17be6`) that 
eventually ended up impacting the availability of the module and the 
applications using it. These were fixed rapidly and with minimal changes, so 
they imply minimal security concerns.
- Build-Depends
  - The single dependency that the module has is `libemail-date-format-perl`. 
It is only called once, for getting an RFC 2822-formatted date string.
- pre/post inst/rm scripts
  - N/A
- init scripts
  - N/A
- systemd units
  - N/A
- dbus services
  - N/A
- setuid binaries
  - N/A
- binaries in PATH
  - N/A
- sudo fragments
  - N/A
- polkit files
  - N/A
- udev rules
  - N/A
- unit tests / autopkgtests
  - N/A
- cron jobs
  - N/A
- Build logs
  - N/A

- Processes spawned
  - N/A
- Memory management
  - N/A
- File IO
  - The module operates only with parameters (for example, the email to be 
parsed), so no files are involved at all in the code of the module.
  - Files are opened only in the tests from the `t/` folder.
- Logging
  - The module uses `croak()` and `carp()` from the `Carp` module to create 
warnings or errors. The original filename and line number (pointing to the 
implementation of the library) are changed with the details of the caller from 
the user script.
- Environment variable usage
  - N/A
- Use of privileged functions
  - N/A
- Use of cryptography / random number sources etc
  - N/A
- Use of temp files
  - N/A
- Use of networking
  - N/A
- Use of WebKit
  - N/A
- Use of PolicyKit
  - N/A

Another aspect that was checked is the Regex processing (matching, splitting, 
and substitution). The points at which injections may have been leading to a 
Regex-based denial of service (ReDoS) were dynamically tested. They are safe.

The audit also leveraged fuzzing with an instrumented build of the Perl 
interpreter, a custom harness, and AFL++. No issue was detected during the 
fuzzing session.

The repository has a few commits and issues. Since 2018, those have been fewer 
and fewer (https://github.com/rjbs/Email-Simple/blob/main/Changes), and the 
issues starting from that year are still unresolved 
(https://github.com/rjbs/Email-Simple/issues?q=is%3Aopen+is%3Aissue). Combining 
this information with the lack of a security policy, private reporting, README, 
licence, and contact information, it is unclear how well the repository is 
maintained and if the maintainer can promptly respond to future security issues 
in the package.

Despite the codebase doesn't raise immediate security concerns that may block 
the MIR process, the Security team proposes a conditional ACK for promoting 
`libemail-simple-perl` into main. The owning team (namely, the Ubuntu Server 
Team) needs to commit to the development and testing of security patches for 
all Ubuntu releases if we lack upstream support. In addition, the same team 
should ask for demoting the package if a more suitable package can be used as 
an alternative for `libemail-simple-perl`.

Thanks!

Ubuntulibemail-simple-perl package

Comment 6 for bug 2031491

Ubuntu
libemail-simple-perl package