GNU bug report logs

#47624 Various IP handling perl packages may be vulnerable

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#47624; Package guix. (Tue, 06 Apr 2021 19:06:02 GMT) (full text, mbox, link).


Acknowledgement sent to Léo Le Bouter <lle-bout@zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Tue, 06 Apr 2021 19:06:02 GMT) (full text, mbox, link).


Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Subject: Various IP handling perl packages may be vulnerable
Date: Tue, 06 Apr 2021 21:05:33 +0200
[Message part 1 (text/plain, inline)]
Read: 
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/

I have not had time to investigate deeply, posting here so the info is
not lost. I have already fixed one issue related to perl-data-validate-
ip in 8ec03ed5475ca7919a7d11541ff8cbf33a9ffe67, but it seems there's
several others.

One as CVE recently:

CVE-2021-29424	18:15
The Net::Netmask module before 2.0000 for Perl does not properly
consider extraneous zero characters at the beginning of an IP address
string, which (in some situations) allows attackers to bypass access
control that is based on IP addresses.

Can't find a corresponding package in GNU Guix.

To be continued!
Léo
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Léo Le Bouter <lle-bout@zaclys.net> to control@debbugs.gnu.org. (Tue, 06 Apr 2021 19:07:02 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Nov 2 04:55:40 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.