Bug#702914: CVE-2013-1841 still unsolved?
Petter Reinholdtsen
pere at hungry.com
Thu May 28 21:25:00 BST 2020
[Rob Brown]
> Is this Issue still open? Is it still a problem in the latest version?
> Or can I close this RT Ticket now?
The code in question seem to be this section from Net/Server.pm version
2.009:
if ($addr && defined $prop->{'reverse_lookups'}) {
if ($INC{'Socket6.pm'} && Socket6->can('getnameinfo')) {
my @res = Socket6::getnameinfo($addr, 0);
$prop->{'peerhost'} = $res[0] if @res > 1;
}else{
$prop->{'peerhost'} = gethostbyaddr($addr, AF_INET);
}
}
As far as I can tell, it only do reverse lookup without comparing it to
the addresses returned by a lookup of the name returned by the reverse
lookup, which seem to be the problem described in the CVE.
In short, I believe the problem from 2013 still is unsolved in version
2.009, but do not know the code and might have overlooked something.
--
Happy hacking
Petter Reinholdtsen
More information about the pkg-perl-maintainers
mailing list