GNU bug report logs - #47624
Various IP handling perl packages may be vulnerable

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Tue, 6 Apr 2021 19:06:02 UTC

Severity: normal

Tags: security

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: Various IP handling perl packages may be vulnerable
Date: Tue, 06 Apr 2021 21:05:33 +0200

[Message part 1 (text/plain, inline)]

Read: 
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/

I have not had time to investigate deeply, posting here so the info is
not lost. I have already fixed one issue related to perl-data-validate-
ip in 8ec03ed5475ca7919a7d11541ff8cbf33a9ffe67, but it seems there's
several others.

One as CVE recently:

CVE-2021-29424	18:15
The Net::Netmask module before 2.0000 for Perl does not properly
consider extraneous zero characters at the beginning of an IP address
string, which (in some situations) allows attackers to bypass access
control that is based on IP addresses.

Can't find a corresponding package in GNU Guix.

To be continued!
Léo

[signature.asc (application/pgp-signature, inline)]

This bug report was last modified 4 years and 70 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #47624 Various IP handling perl packages may be vulnerable

GNU bug report logs - #47624
Various IP handling perl packages may be vulnerable