Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package perl-Net-CIDR-Lite for openSUSE:Factory checked in at 2026-05-14 21:42:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-Net-CIDR-Lite (Old) and /work/SRC/openSUSE:Factory/.perl-Net-CIDR-Lite.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-Net-CIDR-Lite" Thu May 14 21:42:16 2026 rev:16 rq:1353046 version:0.240.0 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-Net-CIDR-Lite/perl-Net-CIDR-Lite.changes 2025-05-23 14:31:05.025923171 +0200 +++ /work/SRC/openSUSE:Factory/.perl-Net-CIDR-Lite.new.1966/perl-Net-CIDR-Lite.changes 2026-05-14 21:42:54.658486580 +0200 @@ -1,0 +2,15 @@ +Mon May 11 08:38:53 UTC 2026 - Tina Müller <[email protected]> + +- updated to 0.240.0 (0.24) + see /usr/share/doc/packages/perl-Net-CIDR-Lite/Changes + + 0.24 2026-05-10 + - Security: (CVE-2026-45190) Reject Unicode digits and trailing + newlines in parser inputs. bsc#1264710 + - Security: (CVE-2026-45191) Reject zero-padded CIDR masks. bsc#1264709 + + 0.23 2026-04-10 + - Security: (CVE-2026-40199) Fix IPv4 mapped IPv6 packed length. bsc#1262088 + - Security: (CVE-2026-40198) Reject invalid uncompressed IPv6. bsc#1262088 + +------------------------------------------------------------------- Old: ---- Net-CIDR-Lite-0.22.tar.gz New: ---- Net-CIDR-Lite-0.24.tar.gz README.md _scmsync.obsinfo build.specials.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-Net-CIDR-Lite.spec ++++++ --- /var/tmp/diff_new_pack.1kUPoC/_old 2026-05-14 21:42:55.158507091 +0200 +++ /var/tmp/diff_new_pack.1kUPoC/_new 2026-05-14 21:42:55.162507255 +0200 @@ -1,7 +1,7 @@ # # spec file for package perl-Net-CIDR-Lite # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,15 +18,16 @@ %define cpan_name Net-CIDR-Lite Name: perl-Net-CIDR-Lite -Version: 0.220.0 +Version: 0.240.0 Release: 0 -# 0.22 -> normalize -> 0.220.0 -%define cpan_version 0.22 +# 0.24 -> normalize -> 0.240.0 +%define cpan_version 0.24 License: Artistic-1.0 OR GPL-1.0-or-later Summary: Perl extension for merging IPv4 or IPv6 CIDR addresses URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/S/ST/STIGTSP/%{cpan_name}-%{cpan_version}.tar.gz Source1: cpanspec.yml +Source100: README.md BuildArch: noarch BuildRequires: perl BuildRequires: perl-macros ++++++ Net-CIDR-Lite-0.22.tar.gz -> Net-CIDR-Lite-0.24.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Net-CIDR-Lite-0.22/Changes new/Net-CIDR-Lite-0.24/Changes --- old/Net-CIDR-Lite-0.22/Changes 2021-04-04 22:20:32.000000000 +0200 +++ new/Net-CIDR-Lite-0.24/Changes 2026-05-10 20:19:54.000000000 +0200 @@ -1,5 +1,13 @@ Revision history for Perl extension Net::CIDR::Lite. +0.24 2026-05-10 + - Security: (CVE-2026-45190) Reject Unicode digits and trailing + newlines in parser inputs. + - Security: (CVE-2026-45191) Reject zero-padded CIDR masks. + +0.23 2026-04-10 + - Security: (CVE-2026-40199) Fix IPv4 mapped IPv6 packed length. + - Security: (CVE-2026-40198) Reject invalid uncompressed IPv6. 0.22 2021-04-04 - Security: IPv4 octets with leading zeroes are no longer allowed. https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Net-CIDR-Lite-0.22/Lite.pm new/Net-CIDR-Lite-0.24/Lite.pm --- old/Net-CIDR-Lite-0.22/Lite.pm 2021-04-04 22:20:32.000000000 +0200 +++ new/Net-CIDR-Lite-0.24/Lite.pm 2026-05-10 20:19:54.000000000 +0200 @@ -4,7 +4,7 @@ use vars qw($VERSION); use Carp qw(confess); -$VERSION = '0.22'; +$VERSION = '0.24'; my %masks; my @fields = qw(PACK UNPACK NBITS MASKS); @@ -37,7 +37,9 @@ my ($ip, $mask) = split "/", shift; $self->_init($ip) || confess "Can't determine ip format" unless %$self; confess "Bad mask $mask" - unless $mask =~ /^\d+$/ and $mask <= $self->{NBITS}-8; + unless defined $mask + and $mask =~ /\A(?:0|[1-9][0-9]*)\z/ + and $mask <= $self->{NBITS}-8; $mask += 8; my $start = $self->{PACK}->($ip) & $self->{MASKS}[$mask] or confess "Bad ip address: $ip"; @@ -181,7 +183,7 @@ my @nums = split /\./, shift(), -1; return unless @nums == 4; for (@nums) { - return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ <= 255; + return unless /\A[0-9]{1,3}\z/ and !/\A0[0-9]{1,2}\z/ and $_ <= 255; } pack("CC*", 0, @nums); } @@ -192,22 +194,23 @@ sub _pack_ipv6 { my $ip = shift; - $ip =~ s/^::$/::0/; - return if $ip =~ /^:/ and $ip !~ s/^::/:/; - return if $ip =~ /:$/ and $ip !~ s/::$/:/; + $ip =~ s/\A::\z/::0/; + return if $ip =~ /\A:/ and $ip !~ s/\A::/:/; + return if $ip =~ /:\z/ and $ip !~ s/::\z/:/; my @nums = split /:/, $ip, -1; return unless @nums <= 8; my ($empty, $ipv4, $str) = (0,'',''); for (@nums) { return if $ipv4; - $str .= "0" x (4-length) . $_, next if /^[a-fA-F\d]{1,4}$/; + $str .= "0" x (4-length) . $_, next if /\A[a-fA-F0-9]{1,4}\z/; do { return if $empty++ }, $str .= "X", next if $_ eq ''; next if $ipv4 = _pack_ipv4($_); return; } return if $ipv4 and @nums > 6; + return unless $empty or @nums == ($ipv4 ? 6 : 8); $str =~ s/X/"0" x (($ipv4 ? 25 : 33)-length($str))/e if $empty; - pack("H*", "00" . $str).$ipv4; + pack("H*", "00" . $str).substr($ipv4, 1); } sub _unpack_ipv6 { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Net-CIDR-Lite-0.22/META.yml new/Net-CIDR-Lite-0.24/META.yml --- old/Net-CIDR-Lite-0.22/META.yml 2021-04-04 22:20:32.000000000 +0200 +++ new/Net-CIDR-Lite-0.24/META.yml 2026-05-10 20:19:54.000000000 +0200 @@ -1,6 +1,6 @@ --- #YAML:1.0 name: Net-CIDR-Lite -version: 0.22 +version: 0.24 abstract: Perl extension for merging IPv4 or IPv6 CIDR addresses author: - Douglas Wilson <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Net-CIDR-Lite-0.22/t/base.t new/Net-CIDR-Lite-0.24/t/base.t --- old/Net-CIDR-Lite-0.22/t/base.t 2021-04-04 22:20:32.000000000 +0200 +++ new/Net-CIDR-Lite-0.24/t/base.t 2026-05-10 20:19:54.000000000 +0200 @@ -8,7 +8,7 @@ use Test; use strict; $|++; -BEGIN { plan tests => 42 }; +BEGIN { plan tests => 66 }; use Net::CIDR::Lite; ok(1); # If we made it this far, we are ok. @@ -144,3 +144,48 @@ eval { $err_octal->add("10.01.0.0/8") }; ok($@=~/Can't determine ip format/); + + +# CVE-2026-40198: Reject IPv6 addresses with too few groups +foreach my $malformed_ipv6 ("abcd/32", "1:2:3/48", "1:2:3:4:5:6:7/112", "") { + eval { Net::CIDR::Lite->new($malformed_ipv6) }; + ok($@=~/Can't determine ip format/); +} + +# CVE-2026-40199: IPv4 mapped IPv6 with incorrect packing +my $mapped = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); +ok($mapped->find("::ffff:192.168.1.1")); +ok($mapped->find("::ffff:192.168.1.255")); +ok(! $mapped->find("::ffff:192.168.2.1")); + +my $mapped2 = Net::CIDR::Lite->new("::ffff:10.0.0.0/104"); +ok($mapped2->find("::ffff:10.0.0.1")); +ok(! $mapped2->find("::ffff:11.0.0.1")); + +# CVE-2026-45190: Reject trailing newline in parser inputs +ok(! defined Net::CIDR::Lite::_pack_ipv4("1.2.3.4\n")); +ok(! defined Net::CIDR::Lite::_pack_ipv6("::1\n")); +eval { Net::CIDR::Lite->new("1.2.3.4\n") }; +ok($@=~/Can't determine ip format/); +eval { Net::CIDR::Lite->new("::1\n") }; +ok($@=~/Can't determine ip format/); +eval { Net::CIDR::Lite->new("1.2.3.4/24\n") }; +ok($@=~/Bad mask/); + +# CVE-2026-45190: Reject non-ASCII Unicode digits in parser inputs +ok(! defined Net::CIDR::Lite::_pack_ipv4("\x{0661}.2.3.4")); +ok(! defined Net::CIDR::Lite::_pack_ipv4("\x{ff11}.2.3.4")); +ok(! defined Net::CIDR::Lite::_pack_ipv6("\x{ff10}1::1")); +ok(! defined Net::CIDR::Lite::_pack_ipv6("\x{0966}1::1")); +ok(! defined Net::CIDR::Lite::_pack_ipv6(chr(0x1D7CF) . "::1")); +eval { Net::CIDR::Lite->new("1.2.3.4/1\x{ff10}") }; +ok($@=~/Bad mask/); + +# CVE-2026-45191: Reject zero-padded CIDR masks +foreach my $padded ("00", "01", "032") { + eval { Net::CIDR::Lite->new("1.2.3.4/$padded") }; + ok($@=~/Bad mask/); +} +eval { Net::CIDR::Lite->new("::/00") }; +ok($@=~/Bad mask/); + ++++++ README.md ++++++ ## Build Results Current state of perl in openSUSE:Factory is  The current state of perl in the devel project build (devel:languages:perl)  ++++++ _scmsync.obsinfo ++++++ mtime: 1778674754 commit: 7108eb29e654fe6af646ec4f21f9b83b2d500365ff5bd7dc85fb2f258bc48239 url: https://src.opensuse.org/perl/perl-Net-CIDR-Lite revision: 7108eb29e654fe6af646ec4f21f9b83b2d500365ff5bd7dc85fb2f258bc48239 projectscmsync: https://src.opensuse.org/perl/_ObsPrj ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-13 14:19:14.000000000 +0200 @@ -0,0 +1 @@ +.osc
