On Sat, Aug 14, 2021 at 7:21 PM Dan Book <grinnz@gmail.com> wrote: > On Sat, Aug 14, 2021 at 1:18 PM Dan Book <grinnz@gmail.com> wrote: > >> On Sat, Aug 14, 2021 at 4:15 AM Achim Gratz <Stromeko@nexgo.de> wrote: >> >>> "Ricardo Signes" writes: >>> > I have attached a fix for a bug in Encode, registered as >>> > CVE-2021-36770. This bug replaces the contents of @INC with a >>> > predictable integer, which is treated as a directory relative to the >>> > current working directory, long enough to execute one "require". >>> >>> I've decided to put a different fix in Cygwin's Perl: >>> >>> --8<---------------cut here---------------start------------->8--- >>> --- origsrc/perl-5.32.1/cpan/Encode/Encode.pm >>> +++ src/perl-5.32.1/cpan/Encode/Encode.pm >>> @@ -65,8 +65,7 @@ >>> eval { >>> local $SIG{__DIE__}; >>> local $SIG{__WARN__}; >>> - local @INC = @INC || (); >>> - pop @INC if $INC[-1] eq '.'; >>> + local @INC = ( substr( $INC{"Encode.pm"}, 0, -length( "/Encode.pm" >>> )) ); # where enc2xs would have installed it >>> require Encode::ConfigLocal; >>> }; >>> >>> >>> --8<---------------cut here---------------end--------------->8--- >>> >> >> A less fragile version of this would be: >> >> require File::Basename; >> local @INC = File::Basename::dirname($INC{'Encode.pm'}); >> > > And probably should be using __FILE__ instead of the %INC entry since this > *is* Encode.pm. > If you really want to go that way, you might as well give require the actual path LeonThread Previous | Thread Next