On Sat, Aug 14, 2021 at 4:15 AM Achim Gratz <Stromeko@nexgo.de> wrote: > "Ricardo Signes" writes: > > I have attached a fix for a bug in Encode, registered as > > CVE-2021-36770. This bug replaces the contents of @INC with a > > predictable integer, which is treated as a directory relative to the > > current working directory, long enough to execute one "require". > > I've decided to put a different fix in Cygwin's Perl: > > --8<---------------cut here---------------start------------->8--- > --- origsrc/perl-5.32.1/cpan/Encode/Encode.pm > +++ src/perl-5.32.1/cpan/Encode/Encode.pm > @@ -65,8 +65,7 @@ > eval { > local $SIG{__DIE__}; > local $SIG{__WARN__}; > - local @INC = @INC || (); > - pop @INC if $INC[-1] eq '.'; > + local @INC = ( substr( $INC{"Encode.pm"}, 0, -length( "/Encode.pm" )) > ); # where enc2xs would have installed it > require Encode::ConfigLocal; > }; > > > --8<---------------cut here---------------end--------------->8--- > A less fragile version of this would be: require File::Basename; local @INC = File::Basename::dirname($INC{'Encode.pm'}); -DanThread Previous | Thread Next