CVE-2024-4140

NameCVE-2024-4140
DescriptionAn excessive memory use issue (CWE-770) exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set (from 2020 and 2024) limits excessive depth and the total number of parts.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs960062

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libemail-mime-perl (PTS)bullseye1.949-1vulnerable
bookworm1.953-1vulnerable
sid, trixie1.954-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libemail-mime-perlsource(unstable)1.954-1960062

Notes

[bookworm] - libemail-mime-perl <no-dsa> (Minor issue)
[bullseye] - libemail-mime-perl <no-dsa> (Minor issue)
[buster] - libemail-mime-perl <postponed> (Minor issue; OOM DoS)
https://github.com/rjbs/Email-MIME/issues/66
https://github.com/rjbs/Email-MIME/pull/80
https://github.com/rjbs/Email-MIME/commit/fc0fededd24a71ccc51bcd8b1e486385d09aae63 (1.954)
https://github.com/rjbs/Email-MIME/commit/b2cb62f19e12580dd235f79e2546d44a6bec54d1 (1.954)
Search for package or bug name: Reporting problems