Fix CVE-2021-47154
This commit is contained in:
starlet-dx
parent
96a9018711
commit
105c61cc3e
58
CVE-2021-47154.patch
Normal file
58
CVE-2021-47154.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 23b6ff0590dc279521863a502e890ef19a5a76fc Mon Sep 17 00:00:00 2001
|
||||
From: Stig Palmquist <stig@stig.io>
|
||||
Date: Wed, 31 Mar 2021 17:27:31 +0200
|
||||
Subject: [PATCH] Security: Prevent leading zeroes in ipv4 octets
|
||||
|
||||
This prevents prevents octal ipv4 addresses from being incorrectly
|
||||
handled by not supporting leading zeroes.
|
||||
|
||||
010.0.0.1 was incorrectly treated as 10.0.0.1, rather than 8.0.0.1
|
||||
|
||||
More information is availabe here:
|
||||
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
|
||||
---
|
||||
Lite.pm | 2 +-
|
||||
t/base.t | 13 ++++++++++++-
|
||||
2 files changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Lite.pm b/Lite.pm
|
||||
index fd6df73..d44f881 100644
|
||||
--- a/Lite.pm
|
||||
+++ b/Lite.pm
|
||||
@@ -181,7 +181,7 @@ sub _pack_ipv4 {
|
||||
my @nums = split /\./, shift(), -1;
|
||||
return unless @nums == 4;
|
||||
for (@nums) {
|
||||
- return unless /^\d{1,3}$/ and $_ <= 255;
|
||||
+ return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ <= 255;
|
||||
}
|
||||
pack("CC*", 0, @nums);
|
||||
}
|
||||
diff --git a/t/base.t b/t/base.t
|
||||
index cf32c5e..292456d 100644
|
||||
--- a/t/base.t
|
||||
+++ b/t/base.t
|
||||
@@ -8,7 +8,7 @@
|
||||
use Test;
|
||||
use strict;
|
||||
$|++;
|
||||
-BEGIN { plan tests => 39 };
|
||||
+BEGIN { plan tests => 42 };
|
||||
use Net::CIDR::Lite;
|
||||
ok(1); # If we made it this far, we are ok.
|
||||
|
||||
@@ -133,3 +133,14 @@ ok(join(', ', @list_short_range), '10.0.0.1-2, 10.0.0.5');
|
||||
})->list_short_range;
|
||||
ok(join(', ', @list_short_range), '10.0.0.250-255, 10.0.1.0-20, 10.0.1.22, 10.0.2.250-255, 10.0.3.0-255, 10.0.4.0-255, 10.0.5.0-8');
|
||||
|
||||
+
|
||||
+# Tests for vulnerability: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
|
||||
+eval { Net::CIDR::Lite->new("010.0.0.0/8") };
|
||||
+ok($@=~/Can't determine ip format/);
|
||||
+
|
||||
+my $err_octal = Net::CIDR::Lite->new;
|
||||
+eval { $err_octal->add("010.0.0.0/8") };
|
||||
+ok($@=~/Can't determine ip format/);
|
||||
+
|
||||
+eval { $err_octal->add("10.01.0.0/8") };
|
||||
+ok($@=~/Can't determine ip format/);
|
||||
@ -1,10 +1,12 @@
|
||||
Name: perl-Net-CIDR-Lite
|
||||
Version: 0.21
|
||||
Release: 23
|
||||
Release: 24
|
||||
Summary: Net::CIDR::Lite - Perl extension for merging IPv4 or IPv6 CIDR addresses
|
||||
License: GPL+ or Artistic
|
||||
URL: https://metacpan.org/pod/Net::CIDR::Lite
|
||||
Source0: https://cpan.metacpan.org/authors/id/D/DO/DOUGW/Net-CIDR-Lite-%{version}.tar.gz
|
||||
# https://github.com/stigtsp/Net-CIDR-Lite/commit/23b6ff0590dc279521863a502e890ef19a5a76fc
|
||||
Patch0: CVE-2021-47154.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -48,5 +50,8 @@ make test
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Tue Mar 19 2024 yaoxin <yao_xin001@hoperun.com> - 0.21-24
|
||||
- Fix CVE-2021-47154
|
||||
|
||||
* Sat Dec 21 2019 zhouyihang <zhouyihang1@huawei.com> - 0.21-23
|
||||
- Package init
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user