Similar to the issue pointed out with npm's Netmask module, perl's Net::Netmask prior to 2.0000 would silently treat octets with leading zeros as decimal, even though system libraries will treat those as octal: $ perl -MNet::Netmask -e '$block = new Net::Netmask("0127.0.0.1"); print $block, "\n"' 127.0.0.1/32 But: $ ping 0127.0.0.1 PING 0127.0.0.1 (87.0.0.1) 56(84) bytes of data. This can lead to vulnerabilities if Net::Netmask examines IPs provided by an attacker prior to deciding whether to allow them through ACL/allow-lists, etc. Net::Netmask-2.0001 throws an error with such IPs: $ perl -MNet::Netmask -e '$block = safe_new Net::Netmask("0127.0.0.1") || die "error: $Net::Netmask::error\n"; print $block, "\n"' error: could not parse 0127.0.0.1
*** This bug has been marked as a duplicate of bug 779172 ***
(In reply to Sam James from comment #1) > > *** This bug has been marked as a duplicate of bug 779172 *** Thanks, but I think you meant to mark 779373 as a dup of 779172, both of which concern Net-CIDR-Lite. This one, alone, concerns Net-Netmask, though the nature of the vulnerability is the same.
(In reply to Kerin Millar from comment #2) > (In reply to Sam James from comment #1) > > > > *** This bug has been marked as a duplicate of bug 779172 *** > > Thanks, but I think you meant to mark 779373 as a dup of 779172, both of > which concern Net-CIDR-Lite. This one, alone, concerns Net-Netmask, though > the nature of the vulnerability is the same. Oh man, yes, you are right. Too tired. Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a56f6a5aa63c9154db93a17e57927fb8ac9211bc commit a56f6a5aa63c9154db93a17e57927fb8ac9211bc Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-05-13 14:32:31 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-05-13 14:33:48 +0000 dev-perl/Net-Netmask: Version bump, needs rekeywording Bug: https://bugs.gentoo.org/779163 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> dev-perl/Net-Netmask/Manifest | 1 + dev-perl/Net-Netmask/Net-Netmask-2.0.100.ebuild | 28 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+)
Sanity check failed: > dev-perl/Net-Netmask-2.0.100 > bdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-perl/Test-UseAllModules-0.170.0 > >=dev-perl/Test2-Suite-0.0.111 > bdepend amd64 stable profile default/linux/amd64/17.1 (26 total) > >=dev-perl/Test-UseAllModules-0.170.0 > >=dev-perl/Test2-Suite-0.0.111
Sanity check failed: > dev-perl/Net-Netmask-2.0.100 > bdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-perl/Test-UseAllModules-0.170.0 > >=dev-perl/Test2-Suite-0.0.111 > bdepend amd64 stable profile default/linux/amd64/17.1 (36 total) > >=dev-perl/Test-UseAllModules-0.170.0 > >=dev-perl/Test2-Suite-0.0.111
Unable to check for sanity: > no match for package: dev-perl/Test-UseAllModules-0.170.0
Sanity check failed: > dev-perl/Test2-Suite-0.0.140 > bdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-perl/Term-Table-0.13.0 > >=virtual/perl-Test-Simple-1.302.176 > bdepend amd64 stable profile default/linux/amd64/17.1 (36 total) > >=dev-perl/Term-Table-0.13.0 > >=virtual/perl-Test-Simple-1.302.176 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-perl/Term-Table-0.13.0 > >=virtual/perl-Test-Simple-1.302.176 > rdepend amd64 stable profile default/linux/amd64/17.1 (36 total) > >=dev-perl/Term-Table-0.13.0 > >=virtual/perl-Test-Simple-1.302.176
Sanity check failed: > virtual/perl-Test-Simple-1.302.183 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > ~perl-core/Test-Simple-1.302.183 > rdepend amd64 stable profile default/linux/amd64/17.1 (36 total) > ~perl-core/Test-Simple-1.302.183
Unable to check for sanity: > package masked: virtual/perl-Test-Simple-1.302.183
Sanity check failed: > virtual/perl-Test-Simple-1.302.183 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > =dev-lang/perl-5.34* > ~perl-core/Test-Simple-1.302.183 > rdepend amd64 stable profile default/linux/amd64/17.1 (36 total) > =dev-lang/perl-5.34* > ~perl-core/Test-Simple-1.302.183
This needs perl@ help to figure out if the deps are bogus.
(In reply to Sam James from comment #13) > This needs perl@ help to figure out if the deps are bogus. Unfortunately they are not. There might be a set of module versions that makes stabilization with Perl 5.32 easily possible, but introducing them now into the tree untested is also counterproductive. I'm going to stable-mask the test useflag for this package, then the problem goes away (and tests are not run for this one package, compared to adding an untested test framework to 1599 others).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82608536951e6ffc2e3f801c648d84a70404f6ea commit 82608536951e6ffc2e3f801c648d84a70404f6ea Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-05-30 20:59:56 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-05-30 21:01:00 +0000 package.use.stable.mask: Mask test for dev-perl/Net-Netmask Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> Bug: https://bugs.gentoo.org/779163 profiles/base/package.use.stable.mask | 8 ++++++++ 1 file changed, 8 insertions(+)
Now I'm curious if Nattka can handle that.
amd64 done
Adding dev-perl/Test2-Suite-0.0.140 now that Perl 5.34 is stable.
Sanity check failed: > dev-perl/Test2-Suite-0.0.140 > bdepend amd64 dev profile default/linux/amd64/17.0/x32 (37 total) > >=dev-perl/Term-Table-0.13.0 > bdepend amd64 stable profile default/linux/amd64/17.1 (73 total) > >=dev-perl/Term-Table-0.13.0 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (37 total) > >=dev-perl/Term-Table-0.13.0 > rdepend amd64 stable profile default/linux/amd64/17.1 (73 total) > >=dev-perl/Term-Table-0.13.0 > bdepend hppa stable profile default/linux/hppa/17.0 (3 total) > >=dev-perl/Module-Pluggable-2.700.0 > >=dev-perl/Term-Table-0.13.0 > dev-perl/Scope-Guard > rdepend hppa stable profile default/linux/hppa/17.0 (3 total) > >=dev-perl/Module-Pluggable-2.700.0 > >=dev-perl/Term-Table-0.13.0 > dev-perl/Scope-Guard
arm done
arm64 done
sparc done
ppc64 stable
hppa done
Unable to check for sanity: > no match for package: dev-perl/Scope-Guard-0.210.0
All sanity-check issues have been resolved
ppc done
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a9766702dad06585559635a8135691fedd101a7 commit 1a9766702dad06585559635a8135691fedd101a7 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-10-16 20:03:06 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-10-16 20:03:13 +0000 dev-perl/Net-Netmask: Remove old Bug: https://bugs.gentoo.org/779163 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> dev-perl/Net-Netmask/Manifest | 1 - dev-perl/Net-Netmask/Net-Netmask-1.902.200.ebuild | 19 ------------------- 2 files changed, 20 deletions(-)
Unable to check for sanity: > no match for package: dev-perl/Test2-Suite-0.0.140
