Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1140833,
regarding trixie-pu: package libnet-cidr-lite-perl/0.22-3~deb13u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140833: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140833
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], 
[email protected], [email protected], [email protected], 
[email protected]
Control: affects -1 + src:libnet-cidr-lite-perl
User: [email protected]
Usertags: pu

Hi

[ Reason ]
libnet-cidr-lite-perl is vulnerable to CVE-2026-45190 and
CVE-2026-45191, which do not warrant a DSA.

[ Impact ]
Debian trixie would remain open to both CVEs.

[ Tests ]
Both fixes contain upstream updated testsuite to cover the issues.
Additionally debusine runs at:
https://debusine.debian.net/debian/developers/work-request/895560/

[ Risks ]
Patches applied from upstream and are targeted for the two issues.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Reject Unicode digits and trailing newlines in parsers (for
CVE-2026-45190) and reject zero-padded CIDR masks (for
CVE-2026-45191). Add tests cases for both.

[ Other info ]
None

Regards,
Salvatore
diff -Nru libnet-cidr-lite-perl-0.22/debian/changelog 
libnet-cidr-lite-perl-0.22/debian/changelog
--- libnet-cidr-lite-perl-0.22/debian/changelog 2026-04-11 09:00:17.000000000 
+0000
+++ libnet-cidr-lite-perl-0.22/debian/changelog 2026-06-27 10:05:16.000000000 
+0000
@@ -1,3 +1,13 @@
+libnet-cidr-lite-perl (0.22-3~deb13u2) trixie; urgency=medium
+
+  * Team upload.
+  * CVE-2026-45190: Reject Unicode digits and trailing newlines in parsers
+  * CVE-2026-45190: Add tests
+  * CVE-2026-45191: Reject zero-padded CIDR masks
+  * CVE-2026-45191: Add tests
+
+ -- Salvatore Bonaccorso <[email protected]>  Sat, 27 Jun 2026 12:05:16 +0200
+
 libnet-cidr-lite-perl (0.22-3~deb13u1) trixie; urgency=medium
 
   * Rebuild for trixie
diff -Nru 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Add-tests.patch 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Add-tests.patch
--- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Add-tests.patch    
1970-01-01 00:00:00.000000000 +0000
+++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Add-tests.patch    
2026-06-27 10:05:16.000000000 +0000
@@ -0,0 +1,50 @@
+From: Stig Palmquist <[email protected]>
+Date: Sun, 10 May 2026 19:37:45 +0200
+Subject: CVE-2026-45190: Add tests
+Origin: 
https://github.com/stigtsp/Net-CIDR-Lite/commit/990abf34e5d0f2908762771bd96749030e9f9902
+
+Assisted-by: Claude (Anthropic)
+Signed-off-by: Stig Palmquist <[email protected]>
+---
+ t/base.t | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/t/base.t b/t/base.t
+index 9ee20c2ff47b..04702919bcec 100644
+--- a/t/base.t
++++ b/t/base.t
+@@ -8,7 +8,7 @@
+ use Test;
+ use strict;
+ $|++;
+-BEGIN { plan tests => 51 };
++BEGIN { plan tests => 62 };
+ use Net::CIDR::Lite;
+ ok(1); # If we made it this far, we are ok.
+ 
+@@ -162,3 +162,22 @@ my $mapped2 = Net::CIDR::Lite->new("::ffff:10.0.0.0/104");
+ ok($mapped2->find("::ffff:10.0.0.1"));
+ ok(! $mapped2->find("::ffff:11.0.0.1"));
+ 
++# CVE-2026-45190: Reject trailing newline in parser inputs
++ok(! defined Net::CIDR::Lite::_pack_ipv4("1.2.3.4\n"));
++ok(! defined Net::CIDR::Lite::_pack_ipv6("::1\n"));
++eval { Net::CIDR::Lite->new("1.2.3.4\n") };
++ok($@=~/Can't determine ip format/);
++eval { Net::CIDR::Lite->new("::1\n") };
++ok($@=~/Can't determine ip format/);
++eval { Net::CIDR::Lite->new("1.2.3.4/24\n") };
++ok($@=~/Bad mask/);
++
++# CVE-2026-45190: Reject non-ASCII Unicode digits in parser inputs
++ok(! defined Net::CIDR::Lite::_pack_ipv4("\x{0661}.2.3.4"));
++ok(! defined Net::CIDR::Lite::_pack_ipv4("\x{ff11}.2.3.4"));
++ok(! defined Net::CIDR::Lite::_pack_ipv6("\x{ff10}1::1"));
++ok(! defined Net::CIDR::Lite::_pack_ipv6("\x{0966}1::1"));
++ok(! defined Net::CIDR::Lite::_pack_ipv6(chr(0x1D7CF) . "::1"));
++eval { Net::CIDR::Lite->new("1.2.3.4/1\x{ff10}") };
++ok($@=~/Bad mask/);
++
+-- 
+2.53.0
+
diff -Nru 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
--- 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
        1970-01-01 00:00:00.000000000 +0000
+++ 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
        2026-06-27 10:05:16.000000000 +0000
@@ -0,0 +1,64 @@
+From: Stig Palmquist <[email protected]>
+Date: Sun, 10 May 2026 19:37:26 +0200
+Subject: CVE-2026-45190: Reject Unicode digits and trailing newlines in
+ parsers
+Origin: 
https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-45190
+
+The parser regexes used \d (matches the Unicode Nd category) and
+/^...$/ (matches before a trailing "\n"). Both let inputs slip past
+the validators that pack("H*",...) and numeric coercion then
+re-encoded to a different address. Possibly allowing IP ACL bypass
+via find().
+
+Assisted-by: Claude (Anthropic)
+Signed-off-by: Stig Palmquist <[email protected]>
+---
+ Lite.pm | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/Lite.pm b/Lite.pm
+index 005ebbe1337d..8b5a20cfa035 100644
+--- a/Lite.pm
++++ b/Lite.pm
+@@ -37,7 +37,7 @@ sub add {
+     my ($ip, $mask) = split "/", shift;
+     $self->_init($ip) || confess "Can't determine ip format" unless %$self;
+     confess "Bad mask $mask"
+-        unless $mask =~ /^\d+$/ and $mask <= $self->{NBITS}-8;
++        unless $mask =~ /\A[0-9]+\z/ and $mask <= $self->{NBITS}-8;
+     $mask += 8;
+     my $start = $self->{PACK}->($ip) & $self->{MASKS}[$mask]
+         or confess "Bad ip address: $ip";
+@@ -181,7 +181,7 @@ sub _pack_ipv4 {
+     my @nums = split /\./, shift(), -1;
+     return unless @nums == 4;
+     for (@nums) {
+-        return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ <= 255;
++        return unless /\A[0-9]{1,3}\z/ and !/\A0[0-9]{1,2}\z/ and $_ <= 255;
+     }
+     pack("CC*", 0, @nums);
+ }
+@@ -192,15 +192,15 @@ sub _unpack_ipv4 {
+ 
+ sub _pack_ipv6 {
+     my $ip = shift;
+-    $ip =~ s/^::$/::0/;
+-    return if $ip =~ /^:/ and $ip !~ s/^::/:/;
+-    return if $ip =~ /:$/ and $ip !~ s/::$/:/;
++    $ip =~ s/\A::\z/::0/;
++    return if $ip =~ /\A:/ and $ip !~ s/\A::/:/;
++    return if $ip =~ /:\z/ and $ip !~ s/::\z/:/;
+     my @nums = split /:/, $ip, -1;
+     return unless @nums <= 8;
+     my ($empty, $ipv4, $str) = (0,'','');
+     for (@nums) {
+         return if $ipv4;
+-        $str .= "0" x (4-length) . $_, next if /^[a-fA-F\d]{1,4}$/;
++        $str .= "0" x (4-length) . $_, next if /\A[a-fA-F0-9]{1,4}\z/;
+         do { return if $empty++ }, $str .= "X", next if $_ eq '';
+         next if $ipv4 = _pack_ipv4($_);
+         return;
+-- 
+2.53.0
+
diff -Nru 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Add-tests.patch 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Add-tests.patch
--- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Add-tests.patch    
1970-01-01 00:00:00.000000000 +0000
+++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Add-tests.patch    
2026-06-27 10:05:16.000000000 +0000
@@ -0,0 +1,39 @@
+From: Stig Palmquist <[email protected]>
+Date: Sun, 10 May 2026 19:38:12 +0200
+Subject: CVE-2026-45191: Add tests
+Origin: 
https://github.com/stigtsp/Net-CIDR-Lite/commit/9ad49797e05b277977532dfb74bcd6605d496a4c
+
+Assisted-by: Claude (Anthropic)
+Signed-off-by: Stig Palmquist <[email protected]>
+---
+ t/base.t | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/t/base.t b/t/base.t
+index 04702919bcec..ddf8ccae2f8c 100644
+--- a/t/base.t
++++ b/t/base.t
+@@ -8,7 +8,7 @@
+ use Test;
+ use strict;
+ $|++;
+-BEGIN { plan tests => 62 };
++BEGIN { plan tests => 66 };
+ use Net::CIDR::Lite;
+ ok(1); # If we made it this far, we are ok.
+ 
+@@ -181,3 +181,11 @@ ok(! defined Net::CIDR::Lite::_pack_ipv6(chr(0x1D7CF) . 
"::1"));
+ eval { Net::CIDR::Lite->new("1.2.3.4/1\x{ff10}") };
+ ok($@=~/Bad mask/);
+ 
++# CVE-2026-45191: Reject zero-padded CIDR masks
++foreach my $padded ("00", "01", "032") {
++    eval { Net::CIDR::Lite->new("1.2.3.4/$padded") };
++    ok($@=~/Bad mask/);
++}
++eval { Net::CIDR::Lite->new("::/00") };
++ok($@=~/Bad mask/);
++
+-- 
+2.53.0
+
diff -Nru 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
--- 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
        1970-01-01 00:00:00.000000000 +0000
+++ 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
        2026-06-27 10:05:16.000000000 +0000
@@ -0,0 +1,35 @@
+From: Stig Palmquist <[email protected]>
+Date: Sun, 10 May 2026 19:37:58 +0200
+Subject: CVE-2026-45191: Reject zero-padded CIDR masks
+Origin: 
https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-45191
+
+add() accepted zero-padded masks ("/00", "/032") as decimal, parsing
+them to a different range than a textual filter would expect.
+Incomplete fix of CVE-2021-47154, which only covered the IPv4 octet
+half. Possibly allowing IP ACL bypass via find().
+
+Assisted-by: Claude (Anthropic)
+Signed-off-by: Stig Palmquist <[email protected]>
+---
+ Lite.pm | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Lite.pm b/Lite.pm
+index 8b5a20cfa035..295c345b7208 100644
+--- a/Lite.pm
++++ b/Lite.pm
+@@ -37,7 +37,9 @@ sub add {
+     my ($ip, $mask) = split "/", shift;
+     $self->_init($ip) || confess "Can't determine ip format" unless %$self;
+     confess "Bad mask $mask"
+-        unless $mask =~ /\A[0-9]+\z/ and $mask <= $self->{NBITS}-8;
++        unless defined $mask
++        and $mask =~ /\A(?:0|[1-9][0-9]*)\z/
++        and $mask <= $self->{NBITS}-8;
+     $mask += 8;
+     my $start = $self->{PACK}->($ip) & $self->{MASKS}[$mask]
+         or confess "Bad ip address: $ip";
+-- 
+2.53.0
+
diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/series 
libnet-cidr-lite-perl-0.22/debian/patches/series
--- libnet-cidr-lite-perl-0.22/debian/patches/series    2026-04-11 
09:00:17.000000000 +0000
+++ libnet-cidr-lite-perl-0.22/debian/patches/series    2026-06-27 
10:05:16.000000000 +0000
@@ -2,3 +2,7 @@
 CVE-2026-40198-Add-tests.patch
 CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch
 CVE-2026-40199-Add-tests.patch
+CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
+CVE-2026-45190-Add-tests.patch
+CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
+CVE-2026-45191-Add-tests.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to