develooper Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC

Thread Previous | Thread Next
From:
Achim Gratz
Date:
August 9, 2021 21:03
Subject:
Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC
Message ID:
87r1f249gw.fsf@Rainer.invalid
"Ricardo Signes" writes:
> diff --git a/Encode.pm b/Encode.pm
> index a56a999..9691382 100644
> --- a/Encode.pm
> +++ b/Encode.pm
> @@ -65,8 +65,8 @@ require Encode::Config;
>  eval {
>      local $SIG{__DIE__};
>      local $SIG{__WARN__};
> -    local @INC = @INC || ();
> -    pop @INC if $INC[-1] eq '.';
> +    local @INC = @INC;
> +    pop @INC if @INC && $INC[-1] eq '.';
>      require Encode::ConfigLocal;
>  };

Hmm, the original change in 3.05 looks… planted; and since Encode.pm is
XS-ed it gets baked in pretty hard.  Since that change precludes any
attempt to use Encode::ConfigLocal as intended, this also shows that the
distribution is missing a test for this functionality and that
practically nobody is using it or it should have been caught much
earlier.  :-(

Going back to CVE-2016-1238, why is "." in @INC only removed when it's
at the end (which used to be where it was by default)?  Shouldn't it be
sanitized regardless of position, or even more generally any
world-writable components of @INC?


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About