From 7365de5ace45ac979fae118b1666be38a472bf3c Mon Sep 17 00:00:00 2001
From: Stig Palmquist <stig@stig.io>
Date: Tue, 30 Mar 2021 12:31:27 +0200
Subject: [PATCH] perlPackages.NetCIDRLite: add patch to prevent leading zeroes
 in ipv4 octets

https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
---
 ...IDR-Lite-prevent-leading-zeroes-ipv4.patch | 53 +++++++++++++++++++
 pkgs/top-level/perl-packages.nix              |  5 ++
 2 files changed, 58 insertions(+)
 create mode 100644 pkgs/development/perl-modules/Net-CIDR-Lite-prevent-leading-zeroes-ipv4.patch

diff --git a/pkgs/development/perl-modules/Net-CIDR-Lite-prevent-leading-zeroes-ipv4.patch b/pkgs/development/perl-modules/Net-CIDR-Lite-prevent-leading-zeroes-ipv4.patch
new file mode 100644
index 00000000000..337111b6c04
--- /dev/null
+++ b/pkgs/development/perl-modules/Net-CIDR-Lite-prevent-leading-zeroes-ipv4.patch
@@ -0,0 +1,53 @@
+From 734d31aa2f65b69f5558b9b0dd67af0461ca7f80 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <stig@stig.io>
+Date: Tue, 30 Mar 2021 12:13:37 +0200
+Subject: [PATCH] Security: Prevent leading zeroes in ipv4 octets
+
+https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
+Related to CVE-2021-28918
+---
+ Lite.pm  |  2 +-
+ t/base.t | 13 ++++++++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/Lite.pm b/Lite.pm
+index fd6df73..d44f881 100644
+--- a/Lite.pm
++++ b/Lite.pm
+@@ -181,7 +181,7 @@ sub _pack_ipv4 {
+     my @nums = split /\./, shift(), -1;
+     return unless @nums == 4;
+     for (@nums) {
+-        return unless /^\d{1,3}$/ and $_ <= 255;
++        return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ <= 255;
+     }
+     pack("CC*", 0, @nums);
+ }
+diff --git a/t/base.t b/t/base.t
+index cf32c5e..292456d 100644
+--- a/t/base.t
++++ b/t/base.t
+@@ -8,7 +8,7 @@
+ use Test;
+ use strict;
+ $|++;
+-BEGIN { plan tests => 39 };
++BEGIN { plan tests => 42 };
+ use Net::CIDR::Lite;
+ ok(1); # If we made it this far, we are ok.
+ 
+@@ -133,3 +133,14 @@ ok(join(', ', @list_short_range), '10.0.0.1-2, 10.0.0.5');
+ })->list_short_range;
+ ok(join(', ', @list_short_range), '10.0.0.250-255, 10.0.1.0-20, 10.0.1.22, 10.0.2.250-255, 10.0.3.0-255, 10.0.4.0-255, 10.0.5.0-8');
+ 
++
++# Tests for vulnerability: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
++eval { Net::CIDR::Lite->new("010.0.0.0/8") };
++ok($@=~/Can't determine ip format/);
++
++my $err_octal = Net::CIDR::Lite->new;
++eval { $err_octal->add("010.0.0.0/8") };
++ok($@=~/Can't determine ip format/);
++
++eval { $err_octal->add("10.01.0.0/8") };
++ok($@=~/Can't determine ip format/);
diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix
index a2aa171979c..2e32b6608a4 100644
--- a/pkgs/top-level/perl-packages.nix
+++ b/pkgs/top-level/perl-packages.nix
@@ -15119,6 +15119,11 @@ let
       url = "mirror://cpan/authors/id/D/DO/DOUGW/Net-CIDR-Lite-0.21.tar.gz";
       sha256 = "cfa125e8a2aef9259bc3a44e07cbdfb7894b64d22e7c0cee92aee2f5c7915093";
     };
+    patches = [
+      # Fix for security issue: prevent leading zeroes in ipv4 octets
+      # https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
+      ../development/perl-modules/Net-CIDR-Lite-prevent-leading-zeroes-ipv4.patch
+    ];
     meta = {
       description = "Perl extension for merging IPv4 or IPv6 CIDR addresses";
     };