Bug 1944874 (CVE-2021-29424)

Summary: CVE-2021-29424 perl-Net-Netmask: incorrectly parses an IP address with leading zeros in IP octets
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jplesnik, marianne, ppisar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-30 23:35:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1944875, 1944876    
Bug Blocks: 1944878    

Description Guilherme de Almeida Suckevicz 2021-03-30 20:30:26 UTC 
The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

References:
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
https://metacpan.org/changes/distribution/Net-Netmask#L11-22
Comment 1 Guilherme de Almeida Suckevicz 2021-03-30 20:30:45 UTC 
Created perl-Net-Netmask tracking bugs for this issue:

Affects: epel-all [bug 1944876]
Affects: fedora-all [bug 1944875]
Comment 2 Product Security DevOps Team 2021-03-30 23:35:17 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Petr Pisar 2021-03-31 06:52:33 UTC 
This "vulnerability" is quite questionable. E.g. inet(3) reads:

  In  all of the above forms, components of the dotted address can be specified in decimal,
  octal (with a leading 0), or hexadecimal, with a leading 0X).

While getaddrinfo(3):

  src points to a character string containing an IPv4 network address in dotted-decimal
  format, "ddd.ddd.ddd.ddd", where ddd is a decimal number of up to three digits in the
  range 0 to 255.

So one need to be careful which API he uses. Net-Mask-2.0000 resolved the ambiguity by disallowing any leading zeros.