From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id sNv3MCyxbGAsOAAAgWs5BA (envelope-from ) for ; Tue, 06 Apr 2021 21:06:20 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id cOTBKiyxbGDxIgAAbx9fmQ (envelope-from ) for ; Tue, 06 Apr 2021 19:06:20 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 275FF24ADF for ; Tue, 6 Apr 2021 21:06:20 +0200 (CEST) Received: from localhost ([::1]:51770 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTr1n-0001hQ-89 for larch@yhetil.org; Tue, 06 Apr 2021 15:06:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39562) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTr1W-0001hH-Pj for bug-guix@gnu.org; Tue, 06 Apr 2021 15:06:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58461) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lTr1W-0003x7-Hc for bug-guix@gnu.org; Tue, 06 Apr 2021 15:06:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lTr1W-00082m-C5 for bug-guix@gnu.org; Tue, 06 Apr 2021 15:06:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47624: Various IP handling perl packages may be vulnerable Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 06 Apr 2021 19:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47624 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47624@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161773594130888 (code B ref -1); Tue, 06 Apr 2021 19:06:02 +0000 Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 19:05:41 +0000 Received: from localhost ([127.0.0.1]:41774 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTr1A-000828-UA for submit@debbugs.gnu.org; Tue, 06 Apr 2021 15:05:41 -0400 Received: from lists.gnu.org ([209.51.188.17]:53212) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTr18-000820-S8 for submit@debbugs.gnu.org; Tue, 06 Apr 2021 15:05:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39484) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTr18-0001cR-Kx for bug-guix@gnu.org; Tue, 06 Apr 2021 15:05:38 -0400 Received: from mail.zaclys.net ([178.33.93.72]:33899) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTr16-0003cK-08 for bug-guix@gnu.org; Tue, 06 Apr 2021 15:05:38 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136J5Xnb039122 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 6 Apr 2021 21:05:33 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136J5Xnb039122 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617735933; bh=PlU/q0+JKvgr9uVjOzwehOX1UUVhYLyj9cL1/rzJtK8=; h=Subject:From:To:Date:From; b=YTAWNmaeAVlDFKR1RihXyJRUymrve0c7HNBdEYKjciKjT28RVJdbo1N7iL2izBCtD VVgsM2rEmpBAfYFinarhLn2q8QQne8xUXIcXvHW11KB66EfA/Kvrk5mN+Dt8wPSxCa M/XuP4uSGn/YXLGsvd2Sd/Jo4DyOu8EEAewM1pXI= Message-ID: <44719c334e267e20361041fbf1d8c4d2aa5125f9.camel@zaclys.net> Date: Tue, 06 Apr 2021 21:05:33 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-tPDzcV8ysifd90S+ZAXS" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617735980; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=PlU/q0+JKvgr9uVjOzwehOX1UUVhYLyj9cL1/rzJtK8=; b=pDMuzl9YSCsTvnTStpwa5PD683FJOJ8ZYb9RN01oo0i78P+uATDyKhELYXwAxd8J9/iD6b mfyBJugU1BQW0GD85CbEe6qv9MJmYSML+xH59DLW595R8DAz7BNZtYCeDS7Y7vF8CDXES9 ZMEsslRtXfjDgyPrS/QS34vBEM/xIZ/CdoI9XOj1KAnDsWwJtiy5hEpisZ/KCbrtvruIVN Wf/edmV9ItQ/It7wvRXg0LXYHlAJfbCIP0E7jXO13E+uLyWS4JaJMWHQ5sYylXcuamyHfO CPjphKfQG9RkQHypdsHWMssmi48KVbOKdGQ8EvSE2/1CDvt0z4xk4Lh8PRrXhw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617735980; a=rsa-sha256; cv=none; b=Eaw5m8Rig+IFGUJdzeFVs71ZY4l+ZEn7eFPNJsMbYKrnWg7OAOqTPqt40CNTKOgVRQnWHs yjK6HZBdng+DKPJ0xJ9YdAf1rWqmiNmizbp0ApHqA+tC2j/+82+k8iEbF8kvu10Lj3//jZ PrmITJy3v2fN/IOZRvEyZ1PBjdNDIjttflZBPSNRqriGLdGZdorrrfMmvkb2t+cVY4UEp3 FEkZ+g2V8lBh/RdHOYux4JbmrWNXj+rx9HYBIqUVxvm/Qlliy3Hfc89QrZX/gEkebB6znx HRHiuSYtPUnlrKbUTxK6+qEvbIsmM5jD18q4159M1/yKr8bMGegRyM8ClrqecA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=YTAWNmae; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.54 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=YTAWNmae; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 275FF24ADF X-Spam-Score: -3.54 X-Migadu-Scanner: scn0.migadu.com X-TUID: zyNMX393hM/G --=-tPDzcV8ysifd90S+ZAXS Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Read:=20 https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros= / I have not had time to investigate deeply, posting here so the info is not lost. I have already fixed one issue related to perl-data-validate- ip in 8ec03ed5475ca7919a7d11541ff8cbf33a9ffe67, but it seems there's several others. One as CVE recently: CVE-2021-29424 18:15 The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. Can't find a corresponding package in GNU Guix. To be continued! L=C3=A9o --=-tPDzcV8ysifd90S+ZAXS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBssP0ACgkQRaix6GvN EKavoBAAlbKSQLgDAYVOLoii0COsBG6nqca+aotCTbP2t9eelqwmcHHRJdb62OgN P14Gsy6KswgdlJeTOM73Zh03IfIMWE/DR0tNUy5tiZ7AyXrLytUXB1KYrHu14zBw /pd76mSqEEezG3kjMdvuRZHYfhp2xPE+xTzdfykLRxgnqmInBEIAWRoFNNN+yeJJ ixEDVYeT7E7J7tO1MMlrqNjcVZmOJv2RrU19Q4MUd8MZJDeby7CFRXA3YEy+P0zs dNkDXq70cvKWpp7lDqSmrh4a0JU451tKH0QutZVUAofLbCL8BDsCZekyFhmpb8NZ 4YEin0uc9NwOGMAlPE0kc2YUJnSdaywE20+ZkruX+Sofr39ZKTy/IGsLtwYdEw8G yo9Me5Mqh1p4GxAFneNoJAgxXbVIH+eTxvM/Ta9scjanqzeFZLBm55NaxJsbwgkf +SEVNzoiakYusfa4XfoIN5QiDsDdIi/vunn7x5+cOHgVmQ2O5YyPLJ0ftOUG2rCP H4AXkzo6t/4BBjmTdnVA4h1IUt1iKzjTPMNTX2Ocb/ARKiW+yBzaKLyDq+3QFjJX AWUaJ6b19vMTUjsTnm8m98wKHmJpUmgfkNVZvRjLSjugNpvTFGHHSL24gibsazzp KgQm0EzaMZQyi7886583g7KWZgfGJtVa+ziafBCOMEtUYXId25c= =04yD -----END PGP SIGNATURE----- --=-tPDzcV8ysifd90S+ZAXS--