CVE-2021-29424

NameCVE-2021-29424
DescriptionThe Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs986135

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libnet-netmask-perl (PTS)stretch1.9022-1vulnerable
buster1.9104-1vulnerable
bullseye, sid1.9104-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libnet-netmask-perlsource(unstable)1.9104-2986135

Notes

[buster] - libnet-netmask-perl <no-dsa> (Minor issue)
[stretch] - libnet-netmask-perl <no-dsa> (Minor issue)
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
https://metacpan.org/changes/distribution/Net-Netmask#L11-22
https://github.com/jmaslak/Net-Netmask/commit/9023b403682f1eaadadf6cb71ba0117a1fa4f163
Fixed by: https://github.com/jmaslak/Net-Netmask/commit/9023b403682f1eaadadf6cb71ba0117a1fa4f163
Improvements and add safe_new() method:
https://github.com/jmaslak/Net-Netmask/commit/6b60b4eb3e98ee7548c13ecb7cb02c626f948a40
Remove warnings introduced in tests:
https://github.com/jmaslak/Net-Netmask/commit/30d82695e32bc3b1615c7cd08d34528252363436

Search for package or bug name: Reporting problems