Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 779163 - <dev-perl/Net-Netmask-2.0.100: octal type confusion with leading zeros in IP octets
Summary: <dev-perl/Net-Netmask-2.0.100: octal type confusion with leading zeros in IP ...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://metacpan.org/changes/distribu...
Whiteboard: B4 [glsa?]
Keywords:
Depends on: 789978
Blocks:
  Show dependency tree
 
Reported: 2021-03-29 21:06 UTC by Hank Leininger
Modified: 2024-03-03 22:07 UTC (History)
1 user (show)

See Also:
Package list:
dev-perl/Net-Netmask-2.0.100 ppc x86 dev-perl/Test2-Suite-0.0.140 dev-perl/Term-Table-0.15.0 dev-perl/Module-Pluggable-5.200.0-r1 dev-perl/Scope-Guard-0.210.0-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2021-03-29 21:06:41 UTC
Similar to the issue pointed out with npm's Netmask module, perl's Net::Netmask prior to 2.0000 would silently treat octets with leading zeros as decimal, even though system libraries will treat those as octal:

$ perl -MNet::Netmask -e '$block = new Net::Netmask("0127.0.0.1"); print $block, "\n"'
127.0.0.1/32

But:

$ ping 0127.0.0.1
PING 0127.0.0.1 (87.0.0.1) 56(84) bytes of data.

This can lead to vulnerabilities if Net::Netmask examines IPs provided by an attacker prior to deciding whether to allow them through ACL/allow-lists, etc.

Net::Netmask-2.0001 throws an error with such IPs:

$ perl -MNet::Netmask -e '$block = safe_new Net::Netmask("0127.0.0.1") || die "error: $Net::Netmask::error\n"; print $block, "\n"'
error: could not parse 0127.0.0.1
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-11 22:13:15 UTC

*** This bug has been marked as a duplicate of bug 779172 ***
Comment 2 kfm 2021-05-11 23:11:44 UTC
(In reply to Sam James from comment #1)
> 
> *** This bug has been marked as a duplicate of bug 779172 ***

Thanks, but I think you meant to mark 779373 as a dup of 779172, both of which concern Net-CIDR-Lite. This one, alone, concerns Net-Netmask, though the nature of the vulnerability is the same.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-11 23:13:34 UTC
(In reply to Kerin Millar from comment #2)
> (In reply to Sam James from comment #1)
> > 
> > *** This bug has been marked as a duplicate of bug 779172 ***
> 
> Thanks, but I think you meant to mark 779373 as a dup of 779172, both of
> which concern Net-CIDR-Lite. This one, alone, concerns Net-Netmask, though
> the nature of the vulnerability is the same.

Oh man, yes, you are right. Too tired. Thanks!
Comment 4 Larry the Git Cow gentoo-dev 2021-05-13 14:34:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a56f6a5aa63c9154db93a17e57927fb8ac9211bc

commit a56f6a5aa63c9154db93a17e57927fb8ac9211bc
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-05-13 14:32:31 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-05-13 14:33:48 +0000

    dev-perl/Net-Netmask: Version bump, needs rekeywording
    
    Bug: https://bugs.gentoo.org/779163
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 dev-perl/Net-Netmask/Manifest                   |  1 +
 dev-perl/Net-Netmask/Net-Netmask-2.0.100.ebuild | 28 +++++++++++++++++++++++++
 2 files changed, 29 insertions(+)
Comment 5 NATTkA bot gentoo-dev 2021-05-13 14:48:30 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-05-15 02:16:27 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-05-15 02:20:25 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-05-15 02:24:25 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-05-15 02:28:33 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-05-15 02:36:27 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-05-20 03:24:24 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-05-20 06:04:30 UTC Comment hidden (obsolete)
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-27 03:38:28 UTC
This needs perl@ help to figure out if the deps are bogus.
Comment 14 Andreas K. Hüttel archtester gentoo-dev 2021-05-30 20:56:33 UTC
(In reply to Sam James from comment #13)
> This needs perl@ help to figure out if the deps are bogus.

Unfortunately they are not.

There might be a set of module versions that makes stabilization with Perl 5.32 easily possible, but introducing them now into the tree untested is also counterproductive.

I'm going to stable-mask the test useflag for this package, then the problem goes away (and tests are not run for this one package, compared to adding an untested test framework to 1599 others).
Comment 15 Larry the Git Cow gentoo-dev 2021-05-30 21:01:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82608536951e6ffc2e3f801c648d84a70404f6ea

commit 82608536951e6ffc2e3f801c648d84a70404f6ea
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-05-30 20:59:56 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-05-30 21:01:00 +0000

    package.use.stable.mask: Mask test for dev-perl/Net-Netmask
    
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
    Bug: https://bugs.gentoo.org/779163

 profiles/base/package.use.stable.mask | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 16 Andreas K. Hüttel archtester gentoo-dev 2021-05-30 21:02:09 UTC
Now I'm curious if Nattka can handle that.
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-04 04:54:59 UTC
amd64 done
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 00:46:26 UTC
Adding dev-perl/Test2-Suite-0.0.140 now that Perl 5.34 is stable.
Comment 19 NATTkA bot gentoo-dev 2021-07-26 00:48:32 UTC Comment hidden (obsolete)
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 02:14:18 UTC
arm done
Comment 21 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 02:14:20 UTC
arm64 done
Comment 22 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 02:27:02 UTC
amd64 done
Comment 23 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-28 02:38:01 UTC
sparc done
Comment 24 Agostino Sarubbo gentoo-dev 2021-07-31 13:04:41 UTC
ppc64 stable
Comment 25 Rolf Eike Beer archtester 2021-08-05 12:45:28 UTC
hppa done
Comment 26 NATTkA bot gentoo-dev 2021-08-06 19:36:31 UTC Comment hidden (obsolete)
Comment 27 NATTkA bot gentoo-dev 2021-08-07 16:36:36 UTC Comment hidden (obsolete)
Comment 28 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-03 00:30:44 UTC
ppc done
Comment 29 Agostino Sarubbo gentoo-dev 2021-10-04 11:01:34 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 30 Larry the Git Cow gentoo-dev 2021-10-16 20:03:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a9766702dad06585559635a8135691fedd101a7

commit 1a9766702dad06585559635a8135691fedd101a7
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-10-16 20:03:06 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-10-16 20:03:13 +0000

    dev-perl/Net-Netmask: Remove old
    
    Bug: https://bugs.gentoo.org/779163
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 dev-perl/Net-Netmask/Manifest                     |  1 -
 dev-perl/Net-Netmask/Net-Netmask-1.902.200.ebuild | 19 -------------------
 2 files changed, 20 deletions(-)
Comment 31 NATTkA bot gentoo-dev 2021-12-09 12:08:51 UTC
Unable to check for sanity:

> no match for package: dev-perl/Test2-Suite-0.0.140