CVE-2021-29922: 
Alma Linux vulnerability analysis and mitigation

CVE-2021-29922 affects the Rust standard library's net parser (library/std/src/net/parser.rs) in versions before 1.53.0. The vulnerability stems from improper handling of extraneous zero characters at the beginning of IP address strings, which can lead to unexpected octal interpretation (NVD, Rust Issue).

The vulnerability exists in the IP address parsing functionality where leading zeros in IP address octets are incorrectly interpreted as octal numbers. For example, an IP address like '0127.0.0.1' would be interpreted as '87.0.0.1' by the system but parsed as '127.0.0.1' by the vulnerable Rust code. The vulnerability has a CVSS v3.1 base score of 9.1 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (SICK Advisory).

The vulnerability can allow attackers to bypass access control mechanisms that are based on IP addresses. For example, an attacker can submit exploitable IP addresses if the octet is 3 digits, with values ranging from 08 (Denial of Service) to 099. This can lead to Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks on applications that rely on rust-lang std::net (SICK Advisory).

The vulnerability was fixed in Rust version 1.53.0 by disallowing octal format in IPv4 address strings. Users should upgrade to Rust version 1.53.0 or later. The fix implements strict parsing as recommended by IETF RFC 6943, which suggests disallowing octal/hexadecimal format in IPv4 strings altogether (Rust PR).

The vulnerability was presented at DEF CON 29 by the researchers who discovered it. The fix was implemented quickly by the Rust team, with the pull request being merged within a day of the issue being reported (DEFCON).