Security Issues in Perl IP Address distros


good chemistry is complicated, and a little bit messy -LW
	PerlMonks

Security Issues in Perl IP Address distros

by choroba (Archbishop)

on Mar 30, 2021 at 12:59 UTC ( #11130589=perlnews: print w/replies, xml )

Need Help??

Security Issues in Perl IP Address distros

tl;dr:

Net-Netmask: Vulnerable before 2.00000 release. Upgrade now.
Net-CIDR-Lite: Affected and unmaintained.
Net-IPAddress-Util: Affected.
Data-Validate-IP: Depends on exactly how it’s used. See below for details.
Socket: Appears unaffected.
Net-DNS: Appears unaffected.
NetAddr-IP: Appears unaffected.
Net-Subnet: Appears unaffected.
Net-Patricia: Appears unaffected.

map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]

Comment on Security Issues in Perl IP Address distros Download Code

Replies are listed 'Best First'.
Re: Security Issues in Perl IP Address distros by parv (Vicar) on Mar 31, 2021 at 02:37 UTC
Original report linked from above Perl context: Universal "netmask" npm package, used by 270,000+ projects, vulnerable to octal input data: server-side request forgery, remote file inclusion, local file inclusion, and more (CVE-2021-28918)	[reply]
Re: Security Issues in Perl IP Address distros by jeffenstein (Friar) on Mar 30, 2021 at 15:35 UTC
If I'm reading it correctly, it only affects you if you've configured something using octal IP addresses, or you are trusting textual IP address from remote users. Is it really a security issue in that case?	[reply]
Re^2: Security Issues in Perl IP Address distros by choroba (Archbishop) on Mar 30, 2021 at 15:57 UTC
From my limited experience from security, everything that has a potential to behave differently than expected is considered a security issue. After the original node issue was published, I can imagine lots of people and robots trying entering dangerous IPs everywhere just to see what happens. `map{substr$_->[0],$_->[1]\|\|0,1}[\\|\|{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^ARGV,3]`	[reply] [d/l]
Re: Security Issues in Perl IP Address distros by hippo (Chancellor) on Apr 06, 2021 at 12:54 UTC
Note that Net::CIDR::Lite now has an active maintainer (STIGTSP) and as of version 0.22 has been patched to address this flaw. 🦛	[reply]

Back to Perl News

Log In^?

Node Status^?

node history
Node Type: perlnews [id://11130589]
help

Chatterbox^?

How do I use this? | Other CB clients

Other Users^?

Others taking refuge in the Monastery: (3)

As of 2021-04-18 16:44 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Voting Booth^?

No recent polls found

Notices^?