Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15-SP6:Update
perl-Net-Netmask
perl-Net-Netmask-CVE-2021-29424.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File perl-Net-Netmask-CVE-2021-29424.patch of Package perl-Net-Netmask
From 9023b403682f1eaadadf6cb71ba0117a1fa4f163 Mon Sep 17 00:00:00 2001 From: Joelle Maslak <jmaslak@antelope.net> Date: Mon, 29 Mar 2021 17:20:38 +0000 Subject: [PATCH] SECURITY: Prevent ambiguous networks from being accidentally used Fix #1: "shortnet" formatted netmasks are no longer allowed. I.E. something like 10/8 will no longer parse correctly, without setting a flag (see the module documentation). [Not back-ported] Fix #2: leading zeros are no longer allowed for IPv4 octets --- lib/Net/Netmask.pm | 30 ++++++---- t/badnets.t | 138 ++++++++++++++++++++++++++++++++++++++++++++ Index: Net-Netmask-1.9022/lib/Net/Netmask.pm =================================================================== --- Net-Netmask-1.9022.orig/lib/Net/Netmask.pm +++ Net-Netmask-1.9022/lib/Net/Netmask.pm @@ -245,7 +245,7 @@ sub quad2int { my @bytes = split(/\./,$_[0]); - return undef unless @bytes == 4 && ! grep {!(/\d+$/ && $_<256)} @bytes; + return undef unless @bytes == 4 && ! grep {!(/^(([0-9])|([1-9][0-9]*))$/ && $_<256)} @bytes; return unpack("N",pack("C4",@bytes)); } Index: Net-Netmask-1.9022/t/badnets.t =================================================================== --- Net-Netmask-1.9022.orig/t/badnets.t +++ Net-Netmask-1.9022/t/badnets.t @@ -1,6 +1,6 @@ #!/usr/bin/perl -w -BEGIN { $| = 1; print "1..52\n";} +BEGIN { $| = 1; print "1..60\n";} use Net::Netmask; $loaded = 1; print "ok 1\n"; @@ -96,5 +96,16 @@ test(48,scalar(Net::Netmask->errstr =~ / test(49,!defined(Net::Netmask->new2('10','foo')),"bad mask"); test(50,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch"); test(51,!defined(Net::Netmask->new2('10.10.10.10','0xYYY')),"bad mask"); -test(52,scalar(Net::Netmask->errstr =~ /^could not parse/),"errstr mismatch"); +test(52,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch"); +# These do weird things that users almost certainly don't expect, +# creating a potential security issue. I.E. all of the below IP +# addresses would be valid to inet_aton(). +test(53,!defined(Net::Netmask->new2('0192.0.1.2','32')),"ambiguous"); +test(54,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch"); +test(55,!defined(Net::Netmask->new2('0192.0.1.2/32')),"ambiguous"); +test(56,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch"); +test(57,!defined(Net::Netmask->new2('0192.0.1.2')),"ambiguous"); +test(58,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch"); +test(59,!defined(Net::Netmask->new2('0192.0.01.2')),"ambiguous"); +test(60,scalar(Net::Netmask->errstr =~ /^could not parse/),"errstr mismatch");
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
