Porters,
I have attached a fix for a bug in Encode, registered as CVE-2021-36770. This bug replaces the contents of @INC with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one "require".
The vulnerability was introduced in Encode v3.05, here: dankogai/p5-encode@9c5f5a3 <https://github.com/dankogai/p5-encode/commit/9c5f5a307863b66d> It was shipped with perl v5.32 and v5.34.
A simple proof of concept:
dinah:~/tmp$ perl -MEncode -e0
dinah:~/tmp$ perl -E 'say scalar @INC'
4
dinah:~/tmp$ mkdir -p 4/Encode
dinah:~/tmp$ echo 'print "Something evil here!!\n"' > 4/Encode/ConfigLocal.pm
dinah:~/tmp$ perl -MEncode -e0
Something evil here!!
A new release of Encode should be available from the CPAN today, and will be swiftly integrated into perl5.git. I expect this fix will shortly be available from major distributors of perl. In the meantime, I have applied a patch to the repository.
This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise.
--
rjbs
I have attached a fix for a bug in Encode, registered as CVE-2021-36770. This bug replaces the contents of @INC with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one "require".
The vulnerability was introduced in Encode v3.05, here: dankogai/p5-encode@9c5f5a3 <https://github.com/dankogai/p5-encode/commit/9c5f5a307863b66d> It was shipped with perl v5.32 and v5.34.
A simple proof of concept:
dinah:~/tmp$ perl -MEncode -e0
dinah:~/tmp$ perl -E 'say scalar @INC'
4
dinah:~/tmp$ mkdir -p 4/Encode
dinah:~/tmp$ echo 'print "Something evil here!!\n"' > 4/Encode/ConfigLocal.pm
dinah:~/tmp$ perl -MEncode -e0
Something evil here!!
A new release of Encode should be available from the CPAN today, and will be swiftly integrated into perl5.git. I expect this fix will shortly be available from major distributors of perl. In the meantime, I have applied a patch to the repository.
This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise.
--
rjbs