Various IP handling perl packages may be vulnerable

Open

Details

One participant

Léo Le Bouter

Owner: unassigned

Submitted by: Léo Le Bouter

Severity: normal

L

L

Léo Le Bouter wrote on 6 Apr 2021 21:05

Recipients:(address . bug-guix@gnu.org)

Message-ID:44719c334e267e20361041fbf1d8c4d2aa5125f9.camel@zaclys.net

Read:

https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/

I have not had time to investigate deeply, posting here so the info is

not lost. I have already fixed one issue related to perl-data-validate-

ip in 8ec03ed5475ca7919a7d11541ff8cbf33a9ffe67, but it seems there's

several others.

One as CVE recently:

CVE-2021-29424 18:15

The Net::Netmask module before 2.0000 for Perl does not properly

consider extraneous zero characters at the beginning of an IP address

string, which (in some situations) allows attackers to bypass access

control that is based on IP addresses.

Can't find a corresponding package in GNU Guix.

To be continued!

Léo

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBssP0ACgkQRaix6GvN
EKavoBAAlbKSQLgDAYVOLoii0COsBG6nqca+aotCTbP2t9eelqwmcHHRJdb62OgN
P14Gsy6KswgdlJeTOM73Zh03IfIMWE/DR0tNUy5tiZ7AyXrLytUXB1KYrHu14zBw
/pd76mSqEEezG3kjMdvuRZHYfhp2xPE+xTzdfykLRxgnqmInBEIAWRoFNNN+yeJJ
ixEDVYeT7E7J7tO1MMlrqNjcVZmOJv2RrU19Q4MUd8MZJDeby7CFRXA3YEy+P0zs
dNkDXq70cvKWpp7lDqSmrh4a0JU451tKH0QutZVUAofLbCL8BDsCZekyFhmpb8NZ
4YEin0uc9NwOGMAlPE0kc2YUJnSdaywE20+ZkruX+Sofr39ZKTy/IGsLtwYdEw8G
yo9Me5Mqh1p4GxAFneNoJAgxXbVIH+eTxvM/Ta9scjanqzeFZLBm55NaxJsbwgkf
+SEVNzoiakYusfa4XfoIN5QiDsDdIi/vunn7x5+cOHgVmQ2O5YyPLJ0ftOUG2rCP
H4AXkzo6t/4BBjmTdnVA4h1IUt1iKzjTPMNTX2Ocb/ARKiW+yBzaKLyDq+3QFjJX
AWUaJ6b19vMTUjsTnm8m98wKHmJpUmgfkNVZvRjLSjugNpvTFGHHSL24gibsazzp
KgQm0EzaMZQyi7886583g7KWZgfGJtVa+ziafBCOMEtUYXId25c=
=04yD
-----END PGP SIGNATURE-----

L

L

Léo Le Bouter wrote on 6 Apr 2021 21:06

Recipients:(address . control@debbugs.gnu.org)

Message-ID:356219e68580344f61d6ed3cfb919f3c3371cb49.camel@zaclys.net

tags 47624 + security

quit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBssS4ACgkQRaix6GvN
EKZ6ZBAAinRGle5/cdZew2Odw2bLum+W3M50630Rahrg9pj9gixoP63DB71W35/7
CAAp8oo0meedKfsXo2qeRu8GhNGNSA/QY7ouBcSYuv4XeMtkiZBUCayvB0FgBKb7
Oy5Nu/4Ly0eOtDLOQwWFNoPOWKebVwOX55vt6PNitx84OwilI+hqb41ydYDEkjRa
8AmJBi/Mf6IkHg6hAl/UMb9KP/A84x/bS2ZZWis1pB/3wIZKxbq8AJbdF6YtDrx3
DqeOxCZ0sQBTG1nJdz135FilgEMrmK20+XsfU6J9hR10Es4erQxipC+uwjuXCJpU
X44rpo6Fw+wN/a/OsrShT9yss3OS1OEbIx93T8mxumBID9ji5r2N29gQAjmYs0ez
knHOP4QrMIzAFq0tsYXzC7REeDQHvVo1bCI0e1kB3Tv/xbdj2gM2im7hRipQEBIc
blPOQ8QHcAd/RERNrQLkXJwjjLGLvm54h8ZKb/rcLs2MXvZddfSfdxodBjnZzmCQ
97x+V47b1ahUfSFr/6hN5exkxtFuyBbiKPPtJfz30y4Ngx04zS/HTEA/l4cL93D8
Erp6M1SKeJwi5nq5C2cRRdBIPj37c91XO7q019ek0Qz56YpIVj5dmkur49OyLRlw
sv1MjuRUlrxrjWowwIWuaK3Gcfb8rZZx2Q0urbF+d8hxpuoquxg=
=l3Yi
-----END PGP SIGNATURE-----

?

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 47624@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 47624

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch