Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 461494 (CVE-2013-1841) - dev-perl/Net-Server: Reverse lookup issue (CVE-2013-1841)
Summary: dev-perl/Net-Server: Reverse lookup issue (CVE-2013-1841)
Status: RESOLVED WONTFIX
Alias: CVE-2013-1841
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [upstream+]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-12 08:58 UTC by Agostino Sarubbo
Modified: 2019-04-14 01:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-12 08:58:02 UTC
From ${URL} :

I think there is a security issue in the way the access control feature
of Net::Server (http://search.cpan.org/perldoc?Net%3A%3AServer) works.
Net::Server is used by various projects including Munin, Postgrey and 
SQLgrey.

The issue lies in the fact that the allow / deny access control
does not perform a valid DNS check when given a hostname parameter
and the 'reverse_lookups' option is enabled.
The current code only checks that the incoming connection source IP
address has a reverse DNS matching the given hostname, but does not
check that the hostname resolves back to this source IP address (see
how the $prop->{'peerhost'} property is set in get_client_info(),
lib/Net/Server.pm:553, then used in allow_deny(), lib/Net/Server.pm:597).
As it is trivial for an attacker to be able to set his own
source IP's reverse DNS, the current check is not safe (this probably
matches CWE-807: Reliance on Untrusted Inputs in a Security Decision).

I think that the valid way would be to do the same checks as
Apache HTTPd does for the Allow / Deny directives (see do_double_reverse()
and ap_get_remote_host() in server/core.c for more information):
"It will do a reverse DNS lookup on the IP address to find the
associated hostname, and then do a forward lookup on the hostname
to assure that it matches the original IP address.
Only if the forward and reverse DNS are consistent and the hostname
matches will access be allowed."

At the very least, the documentation of Net:Server should be updated to
specify exactly what is checked by Net:Server access control, as many
people seem to assume that the check is done in the same way as in Apache 
HTTPd.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2014-11-30 22:28:01 UTC
See also https://rt.cpan.org/Public/Bug/Display.html?id=83909
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-15 08:14:55 UTC
Package removed from tree per [1].

[1]: https://archives.gentoo.org/gentoo-dev/message/b3b302aae2c6bf249f11995bbc4ec5a4
Comment 3 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2016-03-15 12:36:56 UTC
Wasn't really removed, was renamed to dev-perl/Net-Server to track upstream naming. 

So that means this is still an issue in my understanding.

Sorry for the confusion.
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2017-01-20 23:28:09 UTC
Nothing upstream, nothing at debian, nothing at redhat
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2017-04-19 22:36:59 UTC
Should anything ever happen, then maybe here:
 https://github.com/rhandom/perl-net-server
Comment 6 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-11-25 03:32:37 UTC
Upstream have cut a new release in August 2017, alas, nothing in it fixes this issue as far as I can tell.