develooper Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC

Thread Previous | Thread Next
From:
Achim Gratz
Date:
August 14, 2021 08:15
Subject:
Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC
Message ID:
875yw8l9wc.fsf@Rainer.invalid
"Ricardo Signes" writes:
> I have attached a fix for a bug in Encode, registered as
> CVE-2021-36770.  This bug replaces the contents of @INC with a
> predictable integer, which is treated as a directory relative to the
> current working directory, long enough to execute one "require".

I've decided to put a different fix in Cygwin's Perl:

--8<---------------cut here---------------start------------->8---
--- origsrc/perl-5.32.1/cpan/Encode/Encode.pm
+++ src/perl-5.32.1/cpan/Encode/Encode.pm
@@ -65,8 +65,7 @@
 eval {
     local $SIG{__DIE__};
     local $SIG{__WARN__};
-    local @INC = @INC || ();
-    pop @INC if $INC[-1] eq '.';
+    local @INC = ( substr( $INC{"Encode.pm"}, 0, -length( "/Encode.pm" )) ); # where enc2xs would have installed it
     require Encode::ConfigLocal;
 };
 

--8<---------------cut here---------------end--------------->8---

If Encode.pm already got loaded from an unsafe directory this isn't
making anything worse than it already is, otherwise this prevents any
shenanigans with @INC, intended or not.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf rackAttack V1.04R1:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About