UIF bug: Caused by flawed IPv6 DNS resolving in Perl's NetAddr::IP

TL;DR; If you use NetAddr::IP->new6() for resolving DNS names to IPv6 addresses, the addresses returned by NetAddr::IP are not what you might expect. See below for details.

Issue #2 in UIF

Over the last couple of days, I tried to figure out the cause of a weird issue observed in UIF (Universal Internet Firewall [1], a nice Perl tool for setting up ip(6)tables based Firewalls).

Already a long time ago, I stumbled over a weird DNS resolving issue of DNS names to IPv6 addresses in UIF that I reported as issue #2 [2] against upstream UIF back then.

I happen to be co-author of UIF. So, I felt very ashamed all the time for not fixing the issue any sooner.

As many of us DDs try to get our packages into shape before the next Debian release these days, I find myself doing the same. I started investigating the underlying cause of issue #2 in UIF a couple of days ago.

Issue #119858 on CPAN

Today, I figured out that the Perl code in UIF is not causing the observed phenomenon. The same behaviour is reproducible with a minimal and pure NetAddr::IP based Perl script (reported as Debian bug #851388 [2]. Thanks to Gregor Herrmann for forwarding Debian bug upstream (#119858 [3]).

Here is the example script that shows the flawed behaviour:

#!/usr/bin/perl

use NetAddr::IP;

my $hostname = "google-public-dns-a.google.com";

my $ip6 = NetAddr::IP->new6($hostname);
my $ip4 = NetAddr::IP->new($hostname);

print "$ip6 <- WTF???\n";
print "$ip4\n";

exit(0);

... gives...

[mike@minobo ~]$ ./netaddr-ip_resolv-ipv6.pl
0:0:0:0:0:0:808:808/128 <- WTF???
8.8.8.8/32

In words...

So what happens in NetAddr::IP is that with the new6() "constructor" you initialize a new IPv6 address. If the address is a DNS name, NetAddr::IP internally resolves it into an IPv4 address and converts this IPv4 address into some IPv6'ish format. This bogus IPv6 address is not the one matching the given DNS name.

Impacted Software in Debian

Various Debian packages use NetAddr::IP and may be affected by this flaw, here is an incomplete list (use apt-rdepends -r libnetaddr-ip-perl for the complete list):

  • spamassassin
  • postgrey
  • postfix-policyd-spf-perl
  • mtpolicyd
  • xen-tools
  • fwsnort
  • freeip-server
  • 389-ds
  • uif

Any of the above packages could be affected if NetAddr::IP->new6(<dnsname>) is being used. I haven't checked any of the code bases, but possibly the corresponding maintainers may want to do that.

References

light+love
Mike