Bug 1184423 - (CVE-2021-29662) VUL-1: CVE-2021-29662: perl-Data-Validate-IP: bypass access control via zero characters at the beginning of an IP address string
VUL-1: CVE-2021-29662: perl-Data-Validate-IP: bypass access control via zero ...
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.2
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-04-07 07:20 UTC by Alexander Bergmann
Modified: 2021-04-14 14:49 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-04-07 07:20:29 UTC

The Data::Validate::IP module through 0.29 for Perl does not properly consider
extraneous zero characters at the beginning of an IP address string, which (in
some situations) allows attackers to bypass access control that is based on IP

Upstream fix:

This fix changes only the documentation of the is_*_ip() functions.

Comment 1 Stephan Kulow 2021-04-07 07:34:04 UTC
The commit referenced (and from what I see all of that release) just adds documentation on what to do when using this module. So I see no fix in the perl code of the module itself.
Comment 2 Stephan Kulow 2021-04-07 09:26:09 UTC
The CVE is invalid IMO. The bug is not in the module, the API is just very easy to misuse so they added a clarification to their documentation. Releasing an update to documentation doesn't seem plausible to me. 

Reassigning to security team for reevaluation
Comment 3 Alexander Bergmann 2021-04-14 14:49:07 UTC
Agreed. We keep this bug as a reference and that we will not change the documentation. CVEs like this are really annoying.

Closing as wontfix.