GNU logs - #47624, boring messages

Message sent to bug-guix@HIDDEN:

Subject: bug#47624: Various IP handling perl packages may be vulnerable
Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Tue, 06 Apr 2021 19:06:02 +0000
Resent-Message-ID: <handler.47624.B.161773594130888 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 47624 <at> debbugs.gnu.org
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136J5Xnb039122
Message-ID: <44719c334e267e20361041fbf1d8c4d2aa5125f9.camel@HIDDEN>
From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Date: Tue, 06 Apr 2021 21:05:33 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-tPDzcV8ysifd90S+ZAXS"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.5 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Read:
 https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
 I have not had time to investigate deeply, posting here so the info is not
 lost. I have already fixed one issue related to perl-data-validate- ip in
 8ec03ed5475ca7919a7d11541ff8cbf33a9ffe67, but it se [...] 
 Content analysis details:   (1.5 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
 [209.51.188.17 listed in wl.mailspike.net]
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 2.8 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-tPDzcV8ysifd90S+ZAXS
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Read:=20
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros=
/

I have not had time to investigate deeply, posting here so the info is
not lost. I have already fixed one issue related to perl-data-validate-
ip in 8ec03ed5475ca7919a7d11541ff8cbf33a9ffe67, but it seems there's
several others.

One as CVE recently:

CVE-2021-29424	18:15
The Net::Netmask module before 2.0000 for Perl does not properly
consider extraneous zero characters at the beginning of an IP address
string, which (in some situations) allows attackers to bypass access
control that is based on IP addresses.

Can't find a corresponding package in GNU Guix.

To be continued!
L=C3=A9o

--=-tPDzcV8ysifd90S+ZAXS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBssP0ACgkQRaix6GvN
EKavoBAAlbKSQLgDAYVOLoii0COsBG6nqca+aotCTbP2t9eelqwmcHHRJdb62OgN
P14Gsy6KswgdlJeTOM73Zh03IfIMWE/DR0tNUy5tiZ7AyXrLytUXB1KYrHu14zBw
/pd76mSqEEezG3kjMdvuRZHYfhp2xPE+xTzdfykLRxgnqmInBEIAWRoFNNN+yeJJ
ixEDVYeT7E7J7tO1MMlrqNjcVZmOJv2RrU19Q4MUd8MZJDeby7CFRXA3YEy+P0zs
dNkDXq70cvKWpp7lDqSmrh4a0JU451tKH0QutZVUAofLbCL8BDsCZekyFhmpb8NZ
4YEin0uc9NwOGMAlPE0kc2YUJnSdaywE20+ZkruX+Sofr39ZKTy/IGsLtwYdEw8G
yo9Me5Mqh1p4GxAFneNoJAgxXbVIH+eTxvM/Ta9scjanqzeFZLBm55NaxJsbwgkf
+SEVNzoiakYusfa4XfoIN5QiDsDdIi/vunn7x5+cOHgVmQ2O5YyPLJ0ftOUG2rCP
H4AXkzo6t/4BBjmTdnVA4h1IUt1iKzjTPMNTX2Ocb/ARKiW+yBzaKLyDq+3QFjJX
AWUaJ6b19vMTUjsTnm8m98wKHmJpUmgfkNVZvRjLSjugNpvTFGHHSL24gibsazzp
KgQm0EzaMZQyi7886583g7KWZgfGJtVa+ziafBCOMEtUYXId25c=
=04yD
-----END PGP SIGNATURE-----

--=-tPDzcV8ysifd90S+ZAXS--

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Subject: bug#47624: Acknowledgement (Various IP handling perl packages may
 be vulnerable)
Message-ID: <handler.47624.B.161773594130888.ack <at> debbugs.gnu.org>
References: <44719c334e267e20361041fbf1d8c4d2aa5125f9.camel@HIDDEN>
X-Gnu-PR-Message: ack 47624
X-Gnu-PR-Package: guix
Reply-To: 47624 <at> debbugs.gnu.org
Date: Tue, 06 Apr 2021 19:06:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 bug-guix@HIDDEN

If you wish to submit further information on this problem, please
send it to 47624 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
47624: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D47624
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message received at control <at> debbugs.gnu.org:

Received: (at control) by debbugs.gnu.org; 6 Apr 2021 19:06:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 06 15:06:30 2021
Received: from localhost ([127.0.0.1]:41779 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lTr1y-00083w-7O
	for submit <at> debbugs.gnu.org; Tue, 06 Apr 2021 15:06:30 -0400
Received: from mail.zaclys.net ([178.33.93.72]:35977)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lTr1w-00083h-EE
 for control <at> debbugs.gnu.org; Tue, 06 Apr 2021 15:06:29 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136J6MUU039201
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <control <at> debbugs.gnu.org>; Tue, 6 Apr 2021 21:06:22 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136J6MUU039201
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617735982;
 bh=/6F/hXfzIP3q2GPpEBxNE8I4mZHpUnkNsy1kfnaWd2A=;
 h=Subject:From:To:Date:From;
 b=IykEGUPnSxLnNb7Efo1QWBTn0G/6jfpeROTZYlDtAkLT+RDO3Aw6ZMyhsL9U4Go4q
 Pr4pCNHCCFnqSdQocEBJiwLWOn5Pl/iL7YxXL0x5DrO3oS+c4XBO4VY/Fpon2h9qYT
 d+XHY6dT/hPJ2kKsyRrz+8dvXzVlhzxcN8DwG41w=
Message-ID: <356219e68580344f61d6ed3cfb919f3c3371cb49.camel@HIDDEN>
Subject: 
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: control <at> debbugs.gnu.org
Date: Tue, 06 Apr 2021 21:06:22 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-1j+Tbjv4yy2uBuMC7j50"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 2.0 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  tags 47624 + security quit 
 Content analysis details:   (2.0 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 2.0 BLANK_SUBJECT          Subject is present but empty
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.0 (+)


--=-1j+Tbjv4yy2uBuMC7j50
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

tags 47624 + security
quit

--=-1j+Tbjv4yy2uBuMC7j50
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBssS4ACgkQRaix6GvN
EKZ6ZBAAinRGle5/cdZew2Odw2bLum+W3M50630Rahrg9pj9gixoP63DB71W35/7
CAAp8oo0meedKfsXo2qeRu8GhNGNSA/QY7ouBcSYuv4XeMtkiZBUCayvB0FgBKb7
Oy5Nu/4Ly0eOtDLOQwWFNoPOWKebVwOX55vt6PNitx84OwilI+hqb41ydYDEkjRa
8AmJBi/Mf6IkHg6hAl/UMb9KP/A84x/bS2ZZWis1pB/3wIZKxbq8AJbdF6YtDrx3
DqeOxCZ0sQBTG1nJdz135FilgEMrmK20+XsfU6J9hR10Es4erQxipC+uwjuXCJpU
X44rpo6Fw+wN/a/OsrShT9yss3OS1OEbIx93T8mxumBID9ji5r2N29gQAjmYs0ez
knHOP4QrMIzAFq0tsYXzC7REeDQHvVo1bCI0e1kB3Tv/xbdj2gM2im7hRipQEBIc
blPOQ8QHcAd/RERNrQLkXJwjjLGLvm54h8ZKb/rcLs2MXvZddfSfdxodBjnZzmCQ
97x+V47b1ahUfSFr/6hN5exkxtFuyBbiKPPtJfz30y4Ngx04zS/HTEA/l4cL93D8
Erp6M1SKeJwi5nq5C2cRRdBIPj37c91XO7q019ek0Qz56YpIVj5dmkur49OyLRlw
sv1MjuRUlrxrjWowwIWuaK3Gcfb8rZZx2Q0urbF+d8hxpuoquxg=
=l3Yi
-----END PGP SIGNATURE-----

--=-1j+Tbjv4yy2uBuMC7j50--

Last modified: Tue, 6 Apr 2021 19:15:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.