Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC - nntp.perl.org

Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC

Thread Previous | Thread Next

From:

Dan Book

Date:

August 10, 2021 06:40

Subject:

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC

Message ID:

CABMkAVUaw37SmU62+Js2j+vKrmw5ubKg6xmKTuizsRsm7WykZQ@mail.gmail.com

On Tue, Aug 10, 2021 at 1:25 AM ASSI <Stromeko@nexgo.de> wrote:

> Dan Book writes:
> > It's quite different to account for the default behavior of Perl up
> > until 5.26, than to account for anyone's modification of @INC which
> > may have a good reason (and if you want to protect against that, you
> > must remove any relative path from @INC, not just '.').
>
> The attack vector doesn't depend on the path being relative.
>

What do you mean by this? This is the entire reason that the current
working directory in @INC is a vulnerability. Other relative paths are also
treated as relative to the current working directory.

-Dan

Thread Previous | Thread Next

CVE-2021-36770: Encode.pm loads code from outside expected @INC by Ricardo Signes

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Achim Gratz

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Achim Gratz
Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Leon Timmermans

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Achim Gratz

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by ASSI

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC by Dan Book

[Encode] 3.12 Released, update NOW to address CVE-2021-36770 by Dan Kogai

[Encode] 3.13 Released by Dan Kogai

[Encode] 3.14 Released by Dan Kogai

Re: [Encode] 3.14 Released by Eric Wong

[Encode] 3.15 Released by Dan Kogai

[Encode] 3.16 Released by Dan Kogai
Re: [Encode] 3.15 Released by James E Keenan

leak testing modules [was: [Encode] 3.15 Released] by Eric Wong

Leak testing WAS Re: leak testing modules [was: [Encode] 3.15Released] by Felipe Gasper
Re: leak testing modules [was: [Encode] 3.15 Released] by Paul "LeoNerd" Evans

Re: leak testing modules [was: [Encode] 3.15 Released] by Eric Wong

Re: leak testing modules [was: [Encode] 3.15 Released] by H.Merijn Brand

Re: [Encode] 3.13 Released by Yuki Kimoto

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About