Bug 1184423 - (CVE-2021-29662) VUL-1: CVE-2021-29662: perl-Data-Validate-IP: bypass access control via zero characters at the beginning of an IP address string
(CVE-2021-29662)
VUL-1: CVE-2021-29662: perl-Data-Validate-IP: bypass access control via zero ...
Status: RESOLVED WONTFIX
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.2
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/280812/
CVSSv3.1:SUSE:CVE-2021-29662:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-07 07:20 UTC by Alexander Bergmann
Modified: 2021-04-14 14:49 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-04-07 07:20:29 UTC
CVE-2021-29662

The Data::Validate::IP module through 0.29 for Perl does not properly consider
extraneous zero characters at the beginning of an IP address string, which (in
some situations) allows attackers to bypass access control that is based on IP
addresses.

Upstream fix:
https://github.com/houseabsolute/Data-Validate-IP/commit/3bba13c819d616514a75e089badd75002fd4f14e

This fix changes only the documentation of the is_*_ip() functions.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29662
Comment 1 Stephan Kulow 2021-04-07 07:34:04 UTC
The commit referenced (and from what I see all of that release) just adds documentation on what to do when using this module. So I see no fix in the perl code of the module itself.
Comment 2 Stephan Kulow 2021-04-07 09:26:09 UTC
The CVE is invalid IMO. The bug is not in the module, the API is just very easy to misuse so they added a clarification to their documentation. Releasing an update to documentation doesn't seem plausible to me. 

Reassigning to security team for reevaluation
Comment 3 Alexander Bergmann 2021-04-14 14:49:07 UTC
Agreed. We keep this bug as a reference and that we will not change the documentation. CVEs like this are really annoying.

Closing as wontfix.