[Encode] 3.12 Released, update NOW to address CVE-2021-36770

Porters,

Encode 3.12 is released to address the issue below which is a SECURITY FIX. UPDATE NOW.

> On Aug 9, 2021, at 21:27, Ricardo Signes <perl.p5p@rjbs.manxome.org> wrote:
> 
> Porters,
> 
> I have attached a fix for a bug in Encode, registered as CVE-2021-36770.  This bug replaces the contents of @INC with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one "require".
> 
> The vulnerability was introduced in Encode v3.05, here: dankogai/p5-encode@9c5f5a3  It was shipped with perl v5.32 and v5.34.
> 
> A simple proof of concept:
> 
> dinah:~/tmp$ perl -MEncode -e0
> dinah:~/tmp$ perl -E 'say scalar @INC'
> 4
> dinah:~/tmp$ mkdir -p 4/Encode
> dinah:~/tmp$ echo 'print "Something evil here!!\n"' > 4/Encode/ConfigLocal.pm
> dinah:~/tmp$ perl -MEncode -e0
> Something evil here!!
> 
> 
> A new release of Encode should be available from the CPAN today, and will be swiftly integrated into perl5.git.  I expect this fix will shortly be available from major distributors of perl.  In the meantime, I have applied a patch to the repository.
> 
> This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise.
> 
> --
> rjbs
> <0001-mitigate-INC-pollution-when-loading-ConfigLocal.patch>

head1 Availability

* git clone git://github.com/dankogai/p5-encode.git
* https://www.dan.co.jp/~dankogai/cpan/Encode-3.12.tar.gz
* CPAN near you.

Travis is all green.

* https://travis-ci.org/dankogai/p5-encode

=head1 CPAN index

 User: DANKOGAI ()
 Distribution file: Encode-3.12.tar.gz
 Number of files: 225
 *.pm files: 26
 README: Encode-3.12/README
 META-File: Encode-3.12/META.json
 META-Parser: Parse::CPAN::Meta 1.4414
 META-driven index: no
 Timestamp of file: Mon Aug  9 14:30:33 2021 UTC
 Time of this run: Mon Aug  9 14:33:28 2021 UTC

=head1 Changes

$Revision: 3.12 $ $Date: 2021/08/09 14:17:04 $
! Encode.pm
  Address CVE-2021-36770
  <9639159a-d070-4762-9cbd-f1622f10449c@beta.fastmail.com>

=head1 AUTHOR

Dan the Encode Maintainer

• CVE-2021-36770: Encode.pm loads code from outside expected @INC by Ricardo Signes
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Achim Gratz
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Achim Gratz
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Leon Timmermans
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Achim Gratz
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by ASSI
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book
• [Encode] 3.12 Released, update NOW to address CVE-2021-36770 by Dan Kogai
• [Encode] 3.13 Released by Dan Kogai
• [Encode] 3.14 Released by Dan Kogai
• Re: [Encode] 3.14 Released by Eric Wong
• [Encode] 3.15 Released by Dan Kogai
• [Encode] 3.16 Released by Dan Kogai
• Re: [Encode] 3.15 Released by James E Keenan
• leak testing modules [was: [Encode] 3.15 Released] by Eric Wong
• Leak testing WAS Re: leak testing modules [was: [Encode] 3.15Released] by Felipe Gasper
• Re: leak testing modules [was: [Encode] 3.15 Released] by Paul "LeoNerd" Evans
• Re: leak testing modules [was: [Encode] 3.15 Released] by Eric Wong
• Re: leak testing modules [was: [Encode] 3.15 Released] by H.Merijn Brand
• Re: [Encode] 3.13 Released by Yuki Kimoto