Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC

On Tue, Aug 10, 2021 at 1:25 AM ASSI <Stromeko@nexgo.de> wrote:

> Dan Book writes:
> > It's quite different to account for the default behavior of Perl up
> > until 5.26, than to account for anyone's modification of @INC which
> > may have a good reason (and if you want to protect against that, you
> > must remove any relative path from @INC, not just '.').
>
> The attack vector doesn't depend on the path being relative.
>

What do you mean by this? This is the entire reason that the current
working directory in @INC is a vulnerability. Other relative paths are also
treated as relative to the current working directory.

-Dan

• CVE-2021-36770: Encode.pm loads code from outside expected @INC by Ricardo Signes
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Achim Gratz
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Achim Gratz
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Leon Timmermans
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Achim Gratz
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by ASSI
• Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book
• [Encode] 3.12 Released, update NOW to address CVE-2021-36770 by Dan Kogai
• [Encode] 3.13 Released by Dan Kogai
• [Encode] 3.14 Released by Dan Kogai
• Re: [Encode] 3.14 Released by Eric Wong
• [Encode] 3.15 Released by Dan Kogai
• [Encode] 3.16 Released by Dan Kogai
• [Encode] 3.17 Released by Dan Kogai
• [Encode] 3.18 Released by Dan Kogai
• [Encode] 3.19 Released by Dan Kogai
• Re: [Encode] 3.19 Released by James E Keenan
• Re: [Encode] 3.18 Released by Yuki Kimoto
• Re: [Encode] 3.15 Released by James E Keenan
• leak testing modules [was: [Encode] 3.15 Released] by Eric Wong
• Leak testing WAS Re: leak testing modules [was: [Encode] 3.15Released] by Felipe Gasper
• Re: leak testing modules [was: [Encode] 3.15 Released] by Paul "LeoNerd" Evans
• Re: leak testing modules [was: [Encode] 3.15 Released] by Eric Wong
• Re: leak testing modules [was: [Encode] 3.15 Released] by H.Merijn Brand
• Re: [Encode] 3.13 Released by Yuki Kimoto