Oh, you're right! The code still appears to be bad to me. Please provide a patch that performs a gethostbyname() on the gethostbyaddr() to compare to ensure it matches the $addr before gleefully bricking over {'peerhost'}.
On Thu, May 28, 2020 at 2:25 PM Petter Reinholdtsen <p...@hungry.com> wrote: > [Rob Brown] > > Is this Issue still open? Is it still a problem in the latest version? > > Or can I close this RT Ticket now? > > The code in question seem to be this section from Net/Server.pm version > 2.009: > > if ($addr && defined $prop->{'reverse_lookups'}) { > if ($INC{'Socket6.pm'} && Socket6->can('getnameinfo')) { > my @res = Socket6::getnameinfo($addr, 0); > $prop->{'peerhost'} = $res[0] if @res > 1; > }else{ > $prop->{'peerhost'} = gethostbyaddr($addr, AF_INET); > } > } > > As far as I can tell, it only do reverse lookup without comparing it to > the addresses returned by a lookup of the name returned by the reverse > lookup, which seem to be the problem described in the CVE. > > In short, I believe the problem from 2013 still is unsolved in version > 2.009, but do not know the code and might have overlooked something. > > -- > Happy hacking > Petter Reinholdtsen >