Various IP handling perl packages may be vulnerable

OpenSubmitted by Léo Le Bouter.
Details
One participant
  • Léo Le Bouter
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 6 Apr 21:05 +0200
(address . bug-guix@gnu.org)
44719c334e267e20361041fbf1d8c4d2aa5125f9.camel@zaclys.net
Read: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
I have not had time to investigate deeply, posting here so the info isnot lost. I have already fixed one issue related to perl-data-validate-ip in 8ec03ed5475ca7919a7d11541ff8cbf33a9ffe67, but it seems there'sseveral others.
One as CVE recently:
CVE-2021-29424 18:15The Net::Netmask module before 2.0000 for Perl does not properlyconsider extraneous zero characters at the beginning of an IP addressstring, which (in some situations) allows attackers to bypass accesscontrol that is based on IP addresses.
Can't find a corresponding package in GNU Guix.
To be continued!Léo
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBssP0ACgkQRaix6GvNEKavoBAAlbKSQLgDAYVOLoii0COsBG6nqca+aotCTbP2t9eelqwmcHHRJdb62OgNP14Gsy6KswgdlJeTOM73Zh03IfIMWE/DR0tNUy5tiZ7AyXrLytUXB1KYrHu14zBw/pd76mSqEEezG3kjMdvuRZHYfhp2xPE+xTzdfykLRxgnqmInBEIAWRoFNNN+yeJJixEDVYeT7E7J7tO1MMlrqNjcVZmOJv2RrU19Q4MUd8MZJDeby7CFRXA3YEy+P0zsdNkDXq70cvKWpp7lDqSmrh4a0JU451tKH0QutZVUAofLbCL8BDsCZekyFhmpb8NZ4YEin0uc9NwOGMAlPE0kc2YUJnSdaywE20+ZkruX+Sofr39ZKTy/IGsLtwYdEw8Gyo9Me5Mqh1p4GxAFneNoJAgxXbVIH+eTxvM/Ta9scjanqzeFZLBm55NaxJsbwgkf+SEVNzoiakYusfa4XfoIN5QiDsDdIi/vunn7x5+cOHgVmQ2O5YyPLJ0ftOUG2rCPH4AXkzo6t/4BBjmTdnVA4h1IUt1iKzjTPMNTX2Ocb/ARKiW+yBzaKLyDq+3QFjJXAWUaJ6b19vMTUjsTnm8m98wKHmJpUmgfkNVZvRjLSjugNpvTFGHHSL24gibsazzpKgQm0EzaMZQyi7886583g7KWZgfGJtVa+ziafBCOMEtUYXId25c==04yD-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 6 Apr 21:06 +0200
(address . control@debbugs.gnu.org)
356219e68580344f61d6ed3cfb919f3c3371cb49.camel@zaclys.net
tags 47624 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBssS4ACgkQRaix6GvNEKZ6ZBAAinRGle5/cdZew2Odw2bLum+W3M50630Rahrg9pj9gixoP63DB71W35/7CAAp8oo0meedKfsXo2qeRu8GhNGNSA/QY7ouBcSYuv4XeMtkiZBUCayvB0FgBKb7Oy5Nu/4Ly0eOtDLOQwWFNoPOWKebVwOX55vt6PNitx84OwilI+hqb41ydYDEkjRa8AmJBi/Mf6IkHg6hAl/UMb9KP/A84x/bS2ZZWis1pB/3wIZKxbq8AJbdF6YtDrx3DqeOxCZ0sQBTG1nJdz135FilgEMrmK20+XsfU6J9hR10Es4erQxipC+uwjuXCJpUX44rpo6Fw+wN/a/OsrShT9yss3OS1OEbIx93T8mxumBID9ji5r2N29gQAjmYs0ezknHOP4QrMIzAFq0tsYXzC7REeDQHvVo1bCI0e1kB3Tv/xbdj2gM2im7hRipQEBIcblPOQ8QHcAd/RERNrQLkXJwjjLGLvm54h8ZKb/rcLs2MXvZddfSfdxodBjnZzmCQ97x+V47b1ahUfSFr/6hN5exkxtFuyBbiKPPtJfz30y4Ngx04zS/HTEA/l4cL93D8Erp6M1SKeJwi5nq5C2cRRdBIPj37c91XO7q019ek0Qz56YpIVj5dmkur49OyLRlwsv1MjuRUlrxrjWowwIWuaK3Gcfb8rZZx2Q0urbF+d8hxpuoquxg==l3Yi-----END PGP SIGNATURE-----

?