Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], 
[email protected], [email protected], [email protected], 
[email protected], [email protected]
Control: affects -1 + src:libnet-cidr-lite-perl
User: [email protected]
Usertags: pu

Hi

[ Reason ]
libnet-cidr-lite-perl is vulnerable to CVE-2026-45190 and
CVE-2026-45191, which do not warrant a DSA. While I'm not authorized
to judge a no-DLA for bookworm, given the bookworm point release is
around the corner and and still want to contribute this update I'm
submitting it for the last point release.

[ Impact ]
Debian bookworm would remain open to both CVEs.

[ Tests ]
Both fixes contain upstream updated testsuite to cover the issues.
Additionally debusine runs at:
https://debusine.debian.net/debian/developers/work-request/895603/

[ Risks ]
Patches applied from upstream and are targeted for the two issues.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Reject Unicode digits and trailing newlines in parsers (for
CVE-2026-45190) and reject zero-padded CIDR masks (for
CVE-2026-45191). Add tests cases for both.

[ Other info ]
None

Regards,
Salvatore
diff -Nru libnet-cidr-lite-perl-0.22/debian/changelog 
libnet-cidr-lite-perl-0.22/debian/changelog
--- libnet-cidr-lite-perl-0.22/debian/changelog 2026-04-11 09:01:23.000000000 
+0000
+++ libnet-cidr-lite-perl-0.22/debian/changelog 2026-06-27 10:07:41.000000000 
+0000
@@ -1,3 +1,13 @@
+libnet-cidr-lite-perl (0.22-3~deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2026-45190: Reject Unicode digits and trailing newlines in parsers
+  * CVE-2026-45190: Add tests
+  * CVE-2026-45191: Reject zero-padded CIDR masks
+  * CVE-2026-45191: Add tests
+
+ -- Salvatore Bonaccorso <[email protected]>  Sat, 27 Jun 2026 12:07:41 +0200
+
 libnet-cidr-lite-perl (0.22-3~deb12u1) bookworm; urgency=medium
 
   * Rebuild for bookworm
diff -Nru 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Add-tests.patch 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Add-tests.patch
--- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Add-tests.patch    
1970-01-01 00:00:00.000000000 +0000
+++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Add-tests.patch    
2026-06-27 10:07:41.000000000 +0000
@@ -0,0 +1,50 @@
+From: Stig Palmquist <[email protected]>
+Date: Sun, 10 May 2026 19:37:45 +0200
+Subject: CVE-2026-45190: Add tests
+Origin: 
https://github.com/stigtsp/Net-CIDR-Lite/commit/990abf34e5d0f2908762771bd96749030e9f9902
+
+Assisted-by: Claude (Anthropic)
+Signed-off-by: Stig Palmquist <[email protected]>
+---
+ t/base.t | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/t/base.t b/t/base.t
+index 9ee20c2ff47b..04702919bcec 100644
+--- a/t/base.t
++++ b/t/base.t
+@@ -8,7 +8,7 @@
+ use Test;
+ use strict;
+ $|++;
+-BEGIN { plan tests => 51 };
++BEGIN { plan tests => 62 };
+ use Net::CIDR::Lite;
+ ok(1); # If we made it this far, we are ok.
+ 
+@@ -162,3 +162,22 @@ my $mapped2 = Net::CIDR::Lite->new("::ffff:10.0.0.0/104");
+ ok($mapped2->find("::ffff:10.0.0.1"));
+ ok(! $mapped2->find("::ffff:11.0.0.1"));
+ 
++# CVE-2026-45190: Reject trailing newline in parser inputs
++ok(! defined Net::CIDR::Lite::_pack_ipv4("1.2.3.4\n"));
++ok(! defined Net::CIDR::Lite::_pack_ipv6("::1\n"));
++eval { Net::CIDR::Lite->new("1.2.3.4\n") };
++ok($@=~/Can't determine ip format/);
++eval { Net::CIDR::Lite->new("::1\n") };
++ok($@=~/Can't determine ip format/);
++eval { Net::CIDR::Lite->new("1.2.3.4/24\n") };
++ok($@=~/Bad mask/);
++
++# CVE-2026-45190: Reject non-ASCII Unicode digits in parser inputs
++ok(! defined Net::CIDR::Lite::_pack_ipv4("\x{0661}.2.3.4"));
++ok(! defined Net::CIDR::Lite::_pack_ipv4("\x{ff11}.2.3.4"));
++ok(! defined Net::CIDR::Lite::_pack_ipv6("\x{ff10}1::1"));
++ok(! defined Net::CIDR::Lite::_pack_ipv6("\x{0966}1::1"));
++ok(! defined Net::CIDR::Lite::_pack_ipv6(chr(0x1D7CF) . "::1"));
++eval { Net::CIDR::Lite->new("1.2.3.4/1\x{ff10}") };
++ok($@=~/Bad mask/);
++
+-- 
+2.53.0
+
diff -Nru 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
--- 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
        1970-01-01 00:00:00.000000000 +0000
+++ 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
        2026-06-27 10:07:41.000000000 +0000
@@ -0,0 +1,64 @@
+From: Stig Palmquist <[email protected]>
+Date: Sun, 10 May 2026 19:37:26 +0200
+Subject: CVE-2026-45190: Reject Unicode digits and trailing newlines in
+ parsers
+Origin: 
https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-45190
+
+The parser regexes used \d (matches the Unicode Nd category) and
+/^...$/ (matches before a trailing "\n"). Both let inputs slip past
+the validators that pack("H*",...) and numeric coercion then
+re-encoded to a different address. Possibly allowing IP ACL bypass
+via find().
+
+Assisted-by: Claude (Anthropic)
+Signed-off-by: Stig Palmquist <[email protected]>
+---
+ Lite.pm | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/Lite.pm b/Lite.pm
+index 005ebbe1337d..8b5a20cfa035 100644
+--- a/Lite.pm
++++ b/Lite.pm
+@@ -37,7 +37,7 @@ sub add {
+     my ($ip, $mask) = split "/", shift;
+     $self->_init($ip) || confess "Can't determine ip format" unless %$self;
+     confess "Bad mask $mask"
+-        unless $mask =~ /^\d+$/ and $mask <= $self->{NBITS}-8;
++        unless $mask =~ /\A[0-9]+\z/ and $mask <= $self->{NBITS}-8;
+     $mask += 8;
+     my $start = $self->{PACK}->($ip) & $self->{MASKS}[$mask]
+         or confess "Bad ip address: $ip";
+@@ -181,7 +181,7 @@ sub _pack_ipv4 {
+     my @nums = split /\./, shift(), -1;
+     return unless @nums == 4;
+     for (@nums) {
+-        return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ <= 255;
++        return unless /\A[0-9]{1,3}\z/ and !/\A0[0-9]{1,2}\z/ and $_ <= 255;
+     }
+     pack("CC*", 0, @nums);
+ }
+@@ -192,15 +192,15 @@ sub _unpack_ipv4 {
+ 
+ sub _pack_ipv6 {
+     my $ip = shift;
+-    $ip =~ s/^::$/::0/;
+-    return if $ip =~ /^:/ and $ip !~ s/^::/:/;
+-    return if $ip =~ /:$/ and $ip !~ s/::$/:/;
++    $ip =~ s/\A::\z/::0/;
++    return if $ip =~ /\A:/ and $ip !~ s/\A::/:/;
++    return if $ip =~ /:\z/ and $ip !~ s/::\z/:/;
+     my @nums = split /:/, $ip, -1;
+     return unless @nums <= 8;
+     my ($empty, $ipv4, $str) = (0,'','');
+     for (@nums) {
+         return if $ipv4;
+-        $str .= "0" x (4-length) . $_, next if /^[a-fA-F\d]{1,4}$/;
++        $str .= "0" x (4-length) . $_, next if /\A[a-fA-F0-9]{1,4}\z/;
+         do { return if $empty++ }, $str .= "X", next if $_ eq '';
+         next if $ipv4 = _pack_ipv4($_);
+         return;
+-- 
+2.53.0
+
diff -Nru 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Add-tests.patch 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Add-tests.patch
--- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Add-tests.patch    
1970-01-01 00:00:00.000000000 +0000
+++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Add-tests.patch    
2026-06-27 10:07:41.000000000 +0000
@@ -0,0 +1,39 @@
+From: Stig Palmquist <[email protected]>
+Date: Sun, 10 May 2026 19:38:12 +0200
+Subject: CVE-2026-45191: Add tests
+Origin: 
https://github.com/stigtsp/Net-CIDR-Lite/commit/9ad49797e05b277977532dfb74bcd6605d496a4c
+
+Assisted-by: Claude (Anthropic)
+Signed-off-by: Stig Palmquist <[email protected]>
+---
+ t/base.t | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/t/base.t b/t/base.t
+index 04702919bcec..ddf8ccae2f8c 100644
+--- a/t/base.t
++++ b/t/base.t
+@@ -8,7 +8,7 @@
+ use Test;
+ use strict;
+ $|++;
+-BEGIN { plan tests => 62 };
++BEGIN { plan tests => 66 };
+ use Net::CIDR::Lite;
+ ok(1); # If we made it this far, we are ok.
+ 
+@@ -181,3 +181,11 @@ ok(! defined Net::CIDR::Lite::_pack_ipv6(chr(0x1D7CF) . 
"::1"));
+ eval { Net::CIDR::Lite->new("1.2.3.4/1\x{ff10}") };
+ ok($@=~/Bad mask/);
+ 
++# CVE-2026-45191: Reject zero-padded CIDR masks
++foreach my $padded ("00", "01", "032") {
++    eval { Net::CIDR::Lite->new("1.2.3.4/$padded") };
++    ok($@=~/Bad mask/);
++}
++eval { Net::CIDR::Lite->new("::/00") };
++ok($@=~/Bad mask/);
++
+-- 
+2.53.0
+
diff -Nru 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
--- 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
        1970-01-01 00:00:00.000000000 +0000
+++ 
libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
        2026-06-27 10:07:41.000000000 +0000
@@ -0,0 +1,35 @@
+From: Stig Palmquist <[email protected]>
+Date: Sun, 10 May 2026 19:37:58 +0200
+Subject: CVE-2026-45191: Reject zero-padded CIDR masks
+Origin: 
https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-45191
+
+add() accepted zero-padded masks ("/00", "/032") as decimal, parsing
+them to a different range than a textual filter would expect.
+Incomplete fix of CVE-2021-47154, which only covered the IPv4 octet
+half. Possibly allowing IP ACL bypass via find().
+
+Assisted-by: Claude (Anthropic)
+Signed-off-by: Stig Palmquist <[email protected]>
+---
+ Lite.pm | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Lite.pm b/Lite.pm
+index 8b5a20cfa035..295c345b7208 100644
+--- a/Lite.pm
++++ b/Lite.pm
+@@ -37,7 +37,9 @@ sub add {
+     my ($ip, $mask) = split "/", shift;
+     $self->_init($ip) || confess "Can't determine ip format" unless %$self;
+     confess "Bad mask $mask"
+-        unless $mask =~ /\A[0-9]+\z/ and $mask <= $self->{NBITS}-8;
++        unless defined $mask
++        and $mask =~ /\A(?:0|[1-9][0-9]*)\z/
++        and $mask <= $self->{NBITS}-8;
+     $mask += 8;
+     my $start = $self->{PACK}->($ip) & $self->{MASKS}[$mask]
+         or confess "Bad ip address: $ip";
+-- 
+2.53.0
+
diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/series 
libnet-cidr-lite-perl-0.22/debian/patches/series
--- libnet-cidr-lite-perl-0.22/debian/patches/series    2026-04-11 
09:01:23.000000000 +0000
+++ libnet-cidr-lite-perl-0.22/debian/patches/series    2026-06-27 
10:07:41.000000000 +0000
@@ -2,3 +2,7 @@
 CVE-2026-40198-Add-tests.patch
 CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch
 CVE-2026-40199-Add-tests.patch
+CVE-2026-45190-Reject-Unicode-digits-and-trailing-ne.patch
+CVE-2026-45190-Add-tests.patch
+CVE-2026-45191-Reject-zero-padded-CIDR-masks.patch
+CVE-2026-45191-Add-tests.patch

Reply via email to