packages/perl-Net-CIDR-Lite
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!7 Fix CVE-2021-47154

Browse Source 
From: @starlet-dx 
Reviewed-by: @wk333 
Signed-off-by: @wk333
This commit is contained in:
openeuler-ci-bot 2024-03-19 01:57:05 +00:00 committed by Gitee
commit a8f81a25f8
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
CVE-2021-47154.patch Normal file
View File

@ -0,0 +1,58 @@
From 23b6ff0590dc279521863a502e890ef19a5a76fc Mon Sep 17 00:00:00 2001
From: Stig Palmquist <stig@stig.io>
Date: Wed, 31 Mar 2021 17:27:31 +0200
Subject: [PATCH] Security: Prevent leading zeroes in ipv4 octets
This prevents prevents octal ipv4 addresses from being incorrectly
handled by not supporting leading zeroes.
010.0.0.1 was incorrectly treated as 10.0.0.1, rather than 8.0.0.1
More information is availabe here:
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
---
Lite.pm | 2 +-
t/base.t | 13 ++++++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/Lite.pm b/Lite.pm
index fd6df73..d44f881 100644
--- a/Lite.pm
+++ b/Lite.pm
@@ -181,7 +181,7 @@ sub _pack_ipv4 {
my @nums = split /\./, shift(), -1;
return unless @nums == 4;
for (@nums) {
- return unless /^\d{1,3}$/ and $_ <= 255;
+ return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ <= 255;
}
pack("CC*", 0, @nums);
}
diff --git a/t/base.t b/t/base.t
index cf32c5e..292456d 100644
--- a/t/base.t
+++ b/t/base.t
@@ -8,7 +8,7 @@
use Test;
use strict;
$|++;
-BEGIN { plan tests => 39 };
+BEGIN { plan tests => 42 };
use Net::CIDR::Lite;
ok(1); # If we made it this far, we are ok.
@@ -133,3 +133,14 @@ ok(join(', ', @list_short_range), '10.0.0.1-2, 10.0.0.5');
})->list_short_range;
ok(join(', ', @list_short_range), '10.0.0.250-255, 10.0.1.0-20, 10.0.1.22, 10.0.2.250-255, 10.0.3.0-255, 10.0.4.0-255, 10.0.5.0-8');
+
+# Tests for vulnerability: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
+eval { Net::CIDR::Lite->new("010.0.0.0/8") };
+ok($@=~/Can't determine ip format/);
+
+my $err_octal = Net::CIDR::Lite->new;
+eval { $err_octal->add("010.0.0.0/8") };
+ok($@=~/Can't determine ip format/);
+
+eval { $err_octal->add("10.01.0.0/8") };
+ok($@=~/Can't determine ip format/);

7
perl-Net-CIDR-Lite.spec
View File

@ -1,10 +1,12 @@
Name: perl-Net-CIDR-Lite Name: perl-Net-CIDR-Lite
Version: 0.21 Version: 0.21
Release: 23 Release: 24
Summary: Net::CIDR::Lite - Perl extension for merging IPv4 or IPv6 CIDR addresses Summary: Net::CIDR::Lite - Perl extension for merging IPv4 or IPv6 CIDR addresses
License: GPL+ or Artistic License: GPL+ or Artistic
URL: https://metacpan.org/pod/Net::CIDR::Lite URL: https://metacpan.org/pod/Net::CIDR::Lite
Source0: https://cpan.metacpan.org/authors/id/D/DO/DOUGW/Net-CIDR-Lite-%{version}.tar.gz Source0: https://cpan.metacpan.org/authors/id/D/DO/DOUGW/Net-CIDR-Lite-%{version}.tar.gz
# https://github.com/stigtsp/Net-CIDR-Lite/commit/23b6ff0590dc279521863a502e890ef19a5a76fc
Patch0: CVE-2021-47154.patch
BuildArch: noarch BuildArch: noarch
@ -48,5 +50,8 @@ make test
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Tue Mar 19 2024 yaoxin <yao_xin001@hoperun.com> - 0.21-24
- Fix CVE-2021-47154
* Sat Dec 21 2019 zhouyihang <zhouyihang1@huawei.com> - 0.21-23 * Sat Dec 21 2019 zhouyihang <zhouyihang1@huawei.com> - 0.21-23
- Package init - Package init