Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:libnet-cidr-lite-perl User: [email protected] Usertags: pu
Hi libnet-cidr-lite-perl is affected by two CVEs, CVE-2026-40198 and CVE-2026-40199. As we had the same version across the supported suite I just made a rebuild of the unstable version. Upstream provided test cases to cover the CVE fix. While the package has not yet migrated to testing the fixes are isolated, so already uploaded it (but feel free to delay acceptance until unstable version really migrates to testing). Regards, Salvatore
diff -Nru libnet-cidr-lite-perl-0.22/debian/changelog libnet-cidr-lite-perl-0.22/debian/changelog --- libnet-cidr-lite-perl-0.22/debian/changelog 2022-11-19 14:11:56.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/changelog 2026-04-11 09:00:17.000000000 +0000 @@ -1,3 +1,19 @@ +libnet-cidr-lite-perl (0.22-3~deb13u1) trixie; urgency=medium + + * Rebuild for trixie + + -- Salvatore Bonaccorso <[email protected]> Sat, 11 Apr 2026 11:00:17 +0200 + +libnet-cidr-lite-perl (0.22-3) unstable; urgency=medium + + * Team upload. + * CVE-2026-40198: Reject invalid uncompressed IPv6 + * CVE-2026-40198: Add tests + * CVE-2026-40199: Fix IPv4 mapped IPv6 packed length + * CVE-2026-40199: Add tests + + -- Salvatore Bonaccorso <[email protected]> Sat, 11 Apr 2026 10:20:46 +0200 + libnet-cidr-lite-perl (0.22-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Add-tests.patch libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Add-tests.patch --- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Add-tests.patch 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Add-tests.patch 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,37 @@ +From: Stig Palmquist <[email protected]> +Date: Fri, 10 Apr 2026 00:34:03 +0200 +Subject: CVE-2026-40198: Add tests +Origin: https://github.com/stigtsp/Net-CIDR-Lite/commit/380562e04f66026ba3859f76b3c8ae0489cbc750 + +--- + t/base.t | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/t/base.t b/t/base.t +index 292456d774cc..8ac87a251e6d 100644 +--- a/t/base.t ++++ b/t/base.t +@@ -8,7 +8,7 @@ + use Test; + use strict; + $|++; +-BEGIN { plan tests => 42 }; ++BEGIN { plan tests => 46 }; + use Net::CIDR::Lite; + ok(1); # If we made it this far, we are ok. + +@@ -144,3 +144,11 @@ ok($@=~/Can't determine ip format/); + + eval { $err_octal->add("10.01.0.0/8") }; + ok($@=~/Can't determine ip format/); ++ ++ ++# CVE-2026-40198: Reject IPv6 addresses with too few groups ++foreach my $malformed_ipv6 ("abcd/32", "1:2:3/48", "1:2:3:4:5:6:7/112", "") { ++ eval { Net::CIDR::Lite->new($malformed_ipv6) }; ++ ok($@=~/Can't determine ip format/); ++} ++ +-- +2.53.0 + diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch --- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,28 @@ +From: Stig Palmquist <[email protected]> +Date: Fri, 10 Apr 2026 00:31:51 +0200 +Subject: CVE-2026-40198: Reject invalid uncompressed IPv6 +Origin: https://github.com/stigtsp/Net-CIDR-Lite/commit/25d65f85dbe4885959a10471725ec9d250a589c3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40198 + +_pack_ipv6() accepted uncompressed IPv6 addresses with fewer than 8 +groups. This resulted in incorrect packed values affecting mask and +comparison operations. Possibly allowing IP ACL bypass via find(). +--- + Lite.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Lite.pm b/Lite.pm +index 0e2299fb2233..acf8f0d3b633 100644 +--- a/Lite.pm ++++ b/Lite.pm +@@ -206,6 +206,7 @@ sub _pack_ipv6 { + return; + } + return if $ipv4 and @nums > 6; ++ return unless $empty or @nums == ($ipv4 ? 6 : 8); + $str =~ s/X/"0" x (($ipv4 ? 25 : 33)-length($str))/e if $empty; + pack("H*", "00" . $str).$ipv4; + } +-- +2.53.0 + diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Add-tests.patch libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Add-tests.patch --- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Add-tests.patch 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Add-tests.patch 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,39 @@ +From: Stig Palmquist <[email protected]> +Date: Fri, 10 Apr 2026 01:20:02 +0200 +Subject: CVE-2026-40199: Add tests +Origin: https://github.com/stigtsp/Net-CIDR-Lite/commit/029b9417d2078827f790addfa1dceb1df8297b85 + +--- + t/base.t | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/t/base.t b/t/base.t +index 8ac87a251e6d..9ee20c2ff47b 100644 +--- a/t/base.t ++++ b/t/base.t +@@ -8,7 +8,7 @@ + use Test; + use strict; + $|++; +-BEGIN { plan tests => 46 }; ++BEGIN { plan tests => 51 }; + use Net::CIDR::Lite; + ok(1); # If we made it this far, we are ok. + +@@ -152,3 +152,13 @@ foreach my $malformed_ipv6 ("abcd/32", "1:2:3/48", "1:2:3:4:5:6:7/112", "") { + ok($@=~/Can't determine ip format/); + } + ++# CVE-2026-40199: IPv4 mapped IPv6 with incorrect packing ++my $mapped = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); ++ok($mapped->find("::ffff:192.168.1.1")); ++ok($mapped->find("::ffff:192.168.1.255")); ++ok(! $mapped->find("::ffff:192.168.2.1")); ++ ++my $mapped2 = Net::CIDR::Lite->new("::ffff:10.0.0.0/104"); ++ok($mapped2->find("::ffff:10.0.0.1")); ++ok(! $mapped2->find("::ffff:11.0.0.1")); ++ +-- +2.53.0 + diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch --- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,29 @@ +From: Stig Palmquist <[email protected]> +Date: Fri, 10 Apr 2026 01:10:22 +0200 +Subject: CVE-2026-40199: Fix IPv4 mapped IPv6 packed length +Origin: https://github.com/stigtsp/Net-CIDR-Lite/commit/b7166b1fa17b3b14b4c795ace5b3fbf71a0bd04a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40199 + +_pack_ipv6() incorrectly included the sentinel byte from _pack_ipv4() +when packing IPv4 mapped addresses. This resulted in incorrect mask and +comparison operations. Possibly allowing IP ACL bypass via find(). +--- + Lite.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lite.pm b/Lite.pm +index acf8f0d3b633..d52efaa8c742 100644 +--- a/Lite.pm ++++ b/Lite.pm +@@ -208,7 +208,7 @@ sub _pack_ipv6 { + return if $ipv4 and @nums > 6; + return unless $empty or @nums == ($ipv4 ? 6 : 8); + $str =~ s/X/"0" x (($ipv4 ? 25 : 33)-length($str))/e if $empty; +- pack("H*", "00" . $str).$ipv4; ++ pack("H*", "00" . $str).substr($ipv4, 1); + } + + sub _unpack_ipv6 { +-- +2.53.0 + diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/series libnet-cidr-lite-perl-0.22/debian/patches/series --- libnet-cidr-lite-perl-0.22/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/series 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,4 @@ +CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch +CVE-2026-40198-Add-tests.patch +CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch +CVE-2026-40199-Add-tests.patch
