Version in base suite: 0.22-2 Base version: libnet-cidr-lite-perl_0.22-2 Target version: libnet-cidr-lite-perl_0.22-3~deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libn/libnet-cidr-lite-perl/libnet-cidr-lite-perl_0.22-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libn/libnet-cidr-lite-perl/libnet-cidr-lite-perl_0.22-3~deb13u1.dsc changelog | 16 ++++ patches/CVE-2026-40198-Add-tests.patch | 37 +++++++++ patches/CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch | 28 +++++++ patches/CVE-2026-40199-Add-tests.patch | 39 ++++++++++ patches/CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch | 29 +++++++ patches/series | 4 + 6 files changed, 153 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpl830r0ug/libnet-cidr-lite-perl_0.22-2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpl830r0ug/libnet-cidr-lite-perl_0.22-3~deb13u1.dsc: no acceptable signature found diff -Nru libnet-cidr-lite-perl-0.22/debian/changelog libnet-cidr-lite-perl-0.22/debian/changelog --- libnet-cidr-lite-perl-0.22/debian/changelog 2022-11-19 14:11:56.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/changelog 2026-04-11 09:00:17.000000000 +0000 @@ -1,3 +1,19 @@ +libnet-cidr-lite-perl (0.22-3~deb13u1) trixie; urgency=medium + + * Rebuild for trixie + + -- Salvatore Bonaccorso Sat, 11 Apr 2026 11:00:17 +0200 + +libnet-cidr-lite-perl (0.22-3) unstable; urgency=medium + + * Team upload. + * CVE-2026-40198: Reject invalid uncompressed IPv6 + * CVE-2026-40198: Add tests + * CVE-2026-40199: Fix IPv4 mapped IPv6 packed length + * CVE-2026-40199: Add tests + + -- Salvatore Bonaccorso Sat, 11 Apr 2026 10:20:46 +0200 + libnet-cidr-lite-perl (0.22-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Add-tests.patch libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Add-tests.patch --- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Add-tests.patch 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Add-tests.patch 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,37 @@ +From: Stig Palmquist +Date: Fri, 10 Apr 2026 00:34:03 +0200 +Subject: CVE-2026-40198: Add tests +Origin: https://github.com/stigtsp/Net-CIDR-Lite/commit/380562e04f66026ba3859f76b3c8ae0489cbc750 + +--- + t/base.t | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/t/base.t b/t/base.t +index 292456d774cc..8ac87a251e6d 100644 +--- a/t/base.t ++++ b/t/base.t +@@ -8,7 +8,7 @@ + use Test; + use strict; + $|++; +-BEGIN { plan tests => 42 }; ++BEGIN { plan tests => 46 }; + use Net::CIDR::Lite; + ok(1); # If we made it this far, we are ok. + +@@ -144,3 +144,11 @@ ok($@=~/Can't determine ip format/); + + eval { $err_octal->add("10.01.0.0/8") }; + ok($@=~/Can't determine ip format/); ++ ++ ++# CVE-2026-40198: Reject IPv6 addresses with too few groups ++foreach my $malformed_ipv6 ("abcd/32", "1:2:3/48", "1:2:3:4:5:6:7/112", "") { ++ eval { Net::CIDR::Lite->new($malformed_ipv6) }; ++ ok($@=~/Can't determine ip format/); ++} ++ +-- +2.53.0 + diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch --- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,28 @@ +From: Stig Palmquist +Date: Fri, 10 Apr 2026 00:31:51 +0200 +Subject: CVE-2026-40198: Reject invalid uncompressed IPv6 +Origin: https://github.com/stigtsp/Net-CIDR-Lite/commit/25d65f85dbe4885959a10471725ec9d250a589c3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40198 + +_pack_ipv6() accepted uncompressed IPv6 addresses with fewer than 8 +groups. This resulted in incorrect packed values affecting mask and +comparison operations. Possibly allowing IP ACL bypass via find(). +--- + Lite.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Lite.pm b/Lite.pm +index 0e2299fb2233..acf8f0d3b633 100644 +--- a/Lite.pm ++++ b/Lite.pm +@@ -206,6 +206,7 @@ sub _pack_ipv6 { + return; + } + return if $ipv4 and @nums > 6; ++ return unless $empty or @nums == ($ipv4 ? 6 : 8); + $str =~ s/X/"0" x (($ipv4 ? 25 : 33)-length($str))/e if $empty; + pack("H*", "00" . $str).$ipv4; + } +-- +2.53.0 + diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Add-tests.patch libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Add-tests.patch --- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Add-tests.patch 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Add-tests.patch 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,39 @@ +From: Stig Palmquist +Date: Fri, 10 Apr 2026 01:20:02 +0200 +Subject: CVE-2026-40199: Add tests +Origin: https://github.com/stigtsp/Net-CIDR-Lite/commit/029b9417d2078827f790addfa1dceb1df8297b85 + +--- + t/base.t | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/t/base.t b/t/base.t +index 8ac87a251e6d..9ee20c2ff47b 100644 +--- a/t/base.t ++++ b/t/base.t +@@ -8,7 +8,7 @@ + use Test; + use strict; + $|++; +-BEGIN { plan tests => 46 }; ++BEGIN { plan tests => 51 }; + use Net::CIDR::Lite; + ok(1); # If we made it this far, we are ok. + +@@ -152,3 +152,13 @@ foreach my $malformed_ipv6 ("abcd/32", "1:2:3/48", "1:2:3:4:5:6:7/112", "") { + ok($@=~/Can't determine ip format/); + } + ++# CVE-2026-40199: IPv4 mapped IPv6 with incorrect packing ++my $mapped = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); ++ok($mapped->find("::ffff:192.168.1.1")); ++ok($mapped->find("::ffff:192.168.1.255")); ++ok(! $mapped->find("::ffff:192.168.2.1")); ++ ++my $mapped2 = Net::CIDR::Lite->new("::ffff:10.0.0.0/104"); ++ok($mapped2->find("::ffff:10.0.0.1")); ++ok(! $mapped2->find("::ffff:11.0.0.1")); ++ +-- +2.53.0 + diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch --- libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,29 @@ +From: Stig Palmquist +Date: Fri, 10 Apr 2026 01:10:22 +0200 +Subject: CVE-2026-40199: Fix IPv4 mapped IPv6 packed length +Origin: https://github.com/stigtsp/Net-CIDR-Lite/commit/b7166b1fa17b3b14b4c795ace5b3fbf71a0bd04a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40199 + +_pack_ipv6() incorrectly included the sentinel byte from _pack_ipv4() +when packing IPv4 mapped addresses. This resulted in incorrect mask and +comparison operations. Possibly allowing IP ACL bypass via find(). +--- + Lite.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lite.pm b/Lite.pm +index acf8f0d3b633..d52efaa8c742 100644 +--- a/Lite.pm ++++ b/Lite.pm +@@ -208,7 +208,7 @@ sub _pack_ipv6 { + return if $ipv4 and @nums > 6; + return unless $empty or @nums == ($ipv4 ? 6 : 8); + $str =~ s/X/"0" x (($ipv4 ? 25 : 33)-length($str))/e if $empty; +- pack("H*", "00" . $str).$ipv4; ++ pack("H*", "00" . $str).substr($ipv4, 1); + } + + sub _unpack_ipv6 { +-- +2.53.0 + diff -Nru libnet-cidr-lite-perl-0.22/debian/patches/series libnet-cidr-lite-perl-0.22/debian/patches/series --- libnet-cidr-lite-perl-0.22/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libnet-cidr-lite-perl-0.22/debian/patches/series 2026-04-11 09:00:17.000000000 +0000 @@ -0,0 +1,4 @@ +CVE-2026-40198-Reject-invalid-uncompressed-IPv6.patch +CVE-2026-40198-Add-tests.patch +CVE-2026-40199-Fix-IPv4-mapped-IPv6-packed-length.patch +CVE-2026-40199-Add-tests.patch