public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #118607 from stigtsp/package/perl-net-cidr-lite-0.22 

perlPackages.NetCIDRLite: 0.21 -> 0.22
This commit is contained in:
Sandro 2021-04-05 19:12:38 +02:00 committed by GitHub
parent 2cd467894a 8fca47fdc1
commit 5343c0426c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
pkgs/development/perl-modules/Net-CIDR-Lite-prevent-leading-zeroes-ipv4.patch
View File

@ -1,53 +0,0 @@
From 734d31aa2f65b69f5558b9b0dd67af0461ca7f80 Mon Sep 17 00:00:00 2001
From: Stig Palmquist <stig@stig.io>
Date: Tue, 30 Mar 2021 12:13:37 +0200
Subject: [PATCH] Security: Prevent leading zeroes in ipv4 octets
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
Related to CVE-2021-28918
---
Lite.pm | 2 +-
t/base.t | 13 ++++++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/Lite.pm b/Lite.pm
index fd6df73..d44f881 100644
--- a/Lite.pm
+++ b/Lite.pm
@@ -181,7 +181,7 @@ sub _pack_ipv4 {
my @nums = split /\./, shift(), -1;
return unless @nums == 4;
for (@nums) {
- return unless /^\d{1,3}$/ and $_ <= 255;
+ return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ <= 255;
}
pack("CC*", 0, @nums);
}
diff --git a/t/base.t b/t/base.t
index cf32c5e..292456d 100644
--- a/t/base.t
+++ b/t/base.t
@@ -8,7 +8,7 @@
use Test;
use strict;
$|++;
-BEGIN { plan tests => 39 };
+BEGIN { plan tests => 42 };
use Net::CIDR::Lite;
ok(1); # If we made it this far, we are ok.
@@ -133,3 +133,14 @@ ok(join(', ', @list_short_range), '10.0.0.1-2, 10.0.0.5');
})->list_short_range;
ok(join(', ', @list_short_range), '10.0.0.250-255, 10.0.1.0-20, 10.0.1.22, 10.0.2.250-255, 10.0.3.0-255, 10.0.4.0-255, 10.0.5.0-8');
+
+# Tests for vulnerability: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
+eval { Net::CIDR::Lite->new("010.0.0.0/8") };
+ok($@=~/Can't determine ip format/);
+
+my $err_octal = Net::CIDR::Lite->new;
+eval { $err_octal->add("010.0.0.0/8") };
+ok($@=~/Can't determine ip format/);
+
+eval { $err_octal->add("10.01.0.0/8") };
+ok($@=~/Can't determine ip format/);

13
pkgs/top-level/perl-packages.nix
View File

@ -15114,18 +15114,15 @@ let
NetCIDRLite = buildPerlPackage { NetCIDRLite = buildPerlPackage {
pname = "Net-CIDR-Lite"; pname = "Net-CIDR-Lite";
version = "0.21"; version = "0.22";
src = fetchurl { src = fetchurl {
url = "mirror://cpan/authors/id/D/DO/DOUGW/Net-CIDR-Lite-0.21.tar.gz"; url = "mirror://cpan/authors/id/S/ST/STIGTSP/Net-CIDR-Lite-0.22.tar.gz";
sha256 = "cfa125e8a2aef9259bc3a44e07cbdfb7894b64d22e7c0cee92aee2f5c7915093"; sha256 = "05w57db2lx4djb4vixzdr6qgrzyzkk047nl812g7nq8s6k5xh5s3";
}; };
patches = [
# Fix for security issue: prevent leading zeroes in ipv4 octets
# https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
../development/perl-modules/Net-CIDR-Lite-prevent-leading-zeroes-ipv4.patch
];
meta = { meta = {
description = "Perl extension for merging IPv4 or IPv6 CIDR addresses"; description = "Perl extension for merging IPv4 or IPv6 CIDR addresses";
license = with lib.licenses; [ artistic1 gpl1Plus ];
maintainers = [ maintainers.sgo ];
}; };
}; };