The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. References: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ https://metacpan.org/changes/distribution/Net-Netmask#L11-22
Created perl-Net-Netmask tracking bugs for this issue: Affects: epel-all [bug 1944876] Affects: fedora-all [bug 1944875]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
This "vulnerability" is quite questionable. E.g. inet(3) reads: In all of the above forms, components of the dotted address can be specified in decimal, octal (with a leading 0), or hexadecimal, with a leading 0X). While getaddrinfo(3): src points to a character string containing an IPv4 network address in dotted-decimal format, "ddd.ddd.ddd.ddd", where ddd is a decimal number of up to three digits in the range 0 to 255. So one need to be careful which API he uses. Net-Mask-2.0000 resolved the ambiguity by disallowing any leading zeros.