Overview

File perl-Net-Netmask-CVE-2021-29424.patch of Package perl-Net-Netmask

From 9023b403682f1eaadadf6cb71ba0117a1fa4f163 Mon Sep 17 00:00:00 2001
From: Joelle Maslak <jmaslak@antelope.net>
Date: Mon, 29 Mar 2021 17:20:38 +0000
Subject: [PATCH] SECURITY: Prevent ambiguous networks from being accidentally used

 Fix #1: "shortnet" formatted netmasks are no longer allowed.  I.E.
 something like 10/8 will no longer parse correctly, without setting a flag
 (see the module documentation). [Not back-ported]

 Fix #2: leading zeros are no longer allowed for IPv4 octets

---
 lib/Net/Netmask.pm  |  30 ++++++----
 t/badnets.t         | 138 ++++++++++++++++++++++++++++++++++++++++++++

Index: Net-Netmask-1.9022/lib/Net/Netmask.pm
===================================================================
--- Net-Netmask-1.9022.orig/lib/Net/Netmask.pm
+++ Net-Netmask-1.9022/lib/Net/Netmask.pm
@@ -245,7 +245,7 @@ sub quad2int
 {
 	my @bytes = split(/\./,$_[0]);
 
-	return undef unless @bytes == 4 && ! grep {!(/\d+$/ && $_<256)} @bytes;
+	return undef unless @bytes == 4 && ! grep {!(/^(([0-9])|([1-9][0-9]*))$/ && $_<256)} @bytes;
 
 	return unpack("N",pack("C4",@bytes));
 }
Index: Net-Netmask-1.9022/t/badnets.t
===================================================================
--- Net-Netmask-1.9022.orig/t/badnets.t
+++ Net-Netmask-1.9022/t/badnets.t
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 
-BEGIN { $| = 1; print "1..52\n";}
+BEGIN { $| = 1; print "1..60\n";}
 use Net::Netmask;
 $loaded = 1;
 print "ok 1\n";
@@ -96,5 +96,16 @@ test(48,scalar(Net::Netmask->errstr =~ /
 test(49,!defined(Net::Netmask->new2('10','foo')),"bad mask");
 test(50,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch");
 test(51,!defined(Net::Netmask->new2('10.10.10.10','0xYYY')),"bad mask");
-test(52,scalar(Net::Netmask->errstr =~ /^could not parse/),"errstr mismatch");
+test(52,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch");
 
+# These do weird things that users almost certainly don't expect,
+# creating a potential security issue.  I.E. all of the below IP
+# addresses would be valid to inet_aton().
+test(53,!defined(Net::Netmask->new2('0192.0.1.2','32')),"ambiguous");
+test(54,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch");
+test(55,!defined(Net::Netmask->new2('0192.0.1.2/32')),"ambiguous");
+test(56,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch");
+test(57,!defined(Net::Netmask->new2('0192.0.1.2')),"ambiguous");
+test(58,scalar(Net::Netmask->errstr =~ /^could not parse /),"errstr mismatch");
+test(59,!defined(Net::Netmask->new2('0192.0.01.2')),"ambiguous");
+test(60,scalar(Net::Netmask->errstr =~ /^could not parse/),"errstr mismatch");
openSUSE Build Service is sponsored by
Places