develooper Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC

Thread Previous | Thread Next
From:
ASSI
Date:
August 10, 2021 05:25
Subject:
Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC
Message ID:
87o8a5g9c7.fsf@Otto.invalid
Dan Book writes:
> It's quite different to account for the default behavior of Perl up
> until 5.26, than to account for anyone's modification of @INC which
> may have a good reason (and if you want to protect against that, you
> must remove any relative path from @INC, not just '.').

The attack vector doesn't depend on the path being relative.

Looking at enc2xs, I'm wondering if the search path could / should be
restricted to $INC{"Encode.pm"}, which would be safe by default and
explicitly set up to differ from the default by the user otherwise.
While it's possible to put a generated ConfigLocal someplace else after
the fact with the current implementation, enc2xs doesn't seem to support
that scenario consciously.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About