| Name | CVE-2021-29424 |
| Description | The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 986135 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libnet-netmask-perl (PTS) | buster | 1.9104-1 | vulnerable |
| bullseye | 1.9104-2 | fixed | |
| sid, trixie, bookworm | 2.0002-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libnet-netmask-perl | source | (unstable) | 1.9104-2 | 986135 |
[buster] - libnet-netmask-perl <no-dsa> (Minor issue)
[stretch] - libnet-netmask-perl <no-dsa> (Minor issue)
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
https://metacpan.org/changes/distribution/Net-Netmask#L11-22
https://github.com/jmaslak/Net-Netmask/commit/9023b403682f1eaadadf6cb71ba0117a1fa4f163
Fixed by: https://github.com/jmaslak/Net-Netmask/commit/9023b403682f1eaadadf6cb71ba0117a1fa4f163
Improvements and add safe_new() method:
https://github.com/jmaslak/Net-Netmask/commit/6b60b4eb3e98ee7548c13ecb7cb02c626f948a40
Remove warnings introduced in tests:
https://github.com/jmaslak/Net-Netmask/commit/30d82695e32bc3b1615c7cd08d34528252363436