Porters, Encode 3.12 is released to address the issue below which is a SECURITY FIX. UPDATE NOW. > On Aug 9, 2021, at 21:27, Ricardo Signes <perl.p5p@rjbs.manxome.org> wrote: > > Porters, > > I have attached a fix for a bug in Encode, registered as CVE-2021-36770. This bug replaces the contents of @INC with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one "require". > > The vulnerability was introduced in Encode v3.05, here: dankogai/p5-encode@9c5f5a3 It was shipped with perl v5.32 and v5.34. > > A simple proof of concept: > > dinah:~/tmp$ perl -MEncode -e0 > dinah:~/tmp$ perl -E 'say scalar @INC' > 4 > dinah:~/tmp$ mkdir -p 4/Encode > dinah:~/tmp$ echo 'print "Something evil here!!\n"' > 4/Encode/ConfigLocal.pm > dinah:~/tmp$ perl -MEncode -e0 > Something evil here!! > > > A new release of Encode should be available from the CPAN today, and will be swiftly integrated into perl5.git. I expect this fix will shortly be available from major distributors of perl. In the meantime, I have applied a patch to the repository. > > This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise. > > -- > rjbs > <0001-mitigate-INC-pollution-when-loading-ConfigLocal.patch> head1 Availability * git clone git://github.com/dankogai/p5-encode.git * https://www.dan.co.jp/~dankogai/cpan/Encode-3.12.tar.gz * CPAN near you. Travis is all green. * https://travis-ci.org/dankogai/p5-encode =head1 CPAN index User: DANKOGAI () Distribution file: Encode-3.12.tar.gz Number of files: 225 *.pm files: 26 README: Encode-3.12/README META-File: Encode-3.12/META.json META-Parser: Parse::CPAN::Meta 1.4414 META-driven index: no Timestamp of file: Mon Aug 9 14:30:33 2021 UTC Time of this run: Mon Aug 9 14:33:28 2021 UTC =head1 Changes $Revision: 3.12 $ $Date: 2021/08/09 14:17:04 $ ! Encode.pm Address CVE-2021-36770 <9639159a-d070-4762-9cbd-f1622f10449c@beta.fastmail.com> =head1 AUTHOR Dan the Encode MaintainerThread Previous | Thread Next