develooper Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: loads code from outside expected @INC

Thread Previous | Thread Next
Achim Gratz
August 14, 2021 08:15
Re: CVE-2021-36770: loads code from outside expected @INC
Message ID:
"Ricardo Signes" writes:
> I have attached a fix for a bug in Encode, registered as
> CVE-2021-36770.  This bug replaces the contents of @INC with a
> predictable integer, which is treated as a directory relative to the
> current working directory, long enough to execute one "require".

I've decided to put a different fix in Cygwin's Perl:

--8<---------------cut here---------------start------------->8---
--- origsrc/perl-5.32.1/cpan/Encode/
+++ src/perl-5.32.1/cpan/Encode/
@@ -65,8 +65,7 @@
 eval {
     local $SIG{__DIE__};
     local $SIG{__WARN__};
-    local @INC = @INC || ();
-    pop @INC if $INC[-1] eq '.';
+    local @INC = ( substr( $INC{""}, 0, -length( "/" )) ); # where enc2xs would have installed it
     require Encode::ConfigLocal;

--8<---------------cut here---------------end--------------->8---

If already got loaded from an unsafe directory this isn't
making anything worse than it already is, otherwise this prevents any
shenanigans with @INC, intended or not.

+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf rackAttack V1.04R1:

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About