Bugzilla – Full Text Bug Listing
|Summary:||VUL-1: CVE-2021-29662: perl-Data-Validate-IP: bypass access control via zero characters at the beginning of an IP address string|
|Product:||[openSUSE] openSUSE Distribution||Reporter:||Alexander Bergmann <abergmann>|
|Component:||Basesystem||Assignee:||Security Team bot <security-team>|
|Status:||RESOLVED WONTFIX||QA Contact:||Security Team bot <security-team>|
|Priority:||P4 - Low||CC:||abergmann, coolo|
|Found By:||Security Response Team||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Alexander Bergmann 2021-04-07 07:20:29 UTC
CVE-2021-29662 The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. Upstream fix: https://github.com/houseabsolute/Data-Validate-IP/commit/3bba13c819d616514a75e089badd75002fd4f14e This fix changes only the documentation of the is_*_ip() functions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29662
Comment 1 Stephan Kulow 2021-04-07 07:34:04 UTC
The commit referenced (and from what I see all of that release) just adds documentation on what to do when using this module. So I see no fix in the perl code of the module itself.
Comment 2 Stephan Kulow 2021-04-07 09:26:09 UTC
The CVE is invalid IMO. The bug is not in the module, the API is just very easy to misuse so they added a clarification to their documentation. Releasing an update to documentation doesn't seem plausible to me. Reassigning to security team for reevaluation
Comment 3 Alexander Bergmann 2021-04-14 14:49:07 UTC
Agreed. We keep this bug as a reference and that we will not change the documentation. CVEs like this are really annoying. Closing as wontfix.