Summary: | <dev-lang/perl-5.34.0-r2, <perl-core/Encode-3.120: Encode.pm loads code from outside expected @INC (CVE-2021-36770) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | kfm | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | IN_PROGRESS --- | ||||||
Severity: | minor | CC: | sam | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://marc.info/?l=perl5-porters&m=162851211513224&w=2 | ||||||
Whiteboard: | A4 [glsa?] | ||||||
Package list: |
dev-lang/perl-5.34.0-r2 *
perl-core/Encode-3.120.0 *
virtual/perl-Encode-3.120.0 *
|
Runtime testing required: | --- | ||||
Bug Depends on: | 812065 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
kfm
2021-08-09 13:14:02 UTC
Created attachment 731848 [details, diff]
0001-mitigate-INC-pollution-when-loading-ConfigLocal.patch
Here's the proper patch from blead: https://github.com/Perl/perl5/commit/c1a937f. It's also fixed by Encode 3.12. Note to Perl team: please consider also updating perl-core/Encode. The reason is that it would allow for Perl application developers to write "use Encode 3.12" in their applications as a safety guarantee, while also allowing for that version requirement to be satisfied in Gentoo without either a) waiting for Perl 5.36 b) installing dual-life modules outside of the purview of portage. Sorry, disregard the request concerning perl-core/Encode. Defining the minimum required version by way of the use keyword does nothing to prevent a potential exploit. (In reply to Kerin Millar from comment #3) > Sorry, disregard the request concerning perl-core/Encode. Defining the > minimum required version by way of the use keyword does nothing to prevent a > potential exploit. perl-core/Encode is going to be removed in a few days anyway: https://github.com/gentoo/gentoo/blob/master/profiles/package.mask#L325 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d45a0ad477f194c2820a8077c0ba158dc841bb8 commit 1d45a0ad477f194c2820a8077c0ba158dc841bb8 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-08-10 22:38:23 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-08-10 22:39:17 +0000 virtual/perl-Encode: Add virtual for Encode 3.12 Bug: https://bugs.gentoo.org/807307 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> virtual/perl-Encode/perl-Encode-3.120.0.ebuild | 13 +++++++++++++ 1 file changed, 13 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5274cece5e2e20afdbb66872ae1849fe25cee420 commit 5274cece5e2e20afdbb66872ae1849fe25cee420 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-08-10 22:36:40 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-08-10 22:39:14 +0000 perl-core/Encode: Add perl-core package Bug: https://bugs.gentoo.org/807307 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> perl-core/Encode/Encode-2.730.0.ebuild | 17 ----------------- perl-core/Encode/Encode-3.120.0.ebuild | 15 +++++++++++++++ perl-core/Encode/Manifest | 2 +- perl-core/Encode/files/gentoo_enc2xs.diff | 4 ++-- perl-core/Encode/metadata.xml | 31 ------------------------------- 5 files changed, 18 insertions(+), 51 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fef27940b8bbeaf2a8fc94153aca89ece36788cc commit fef27940b8bbeaf2a8fc94153aca89ece36788cc Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-08-10 22:43:45 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-08-10 22:43:45 +0000 dev-lang/perl: revbump which enforces recent virtual/perl-Encode Bug: https://bugs.gentoo.org/807307 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> dev-lang/perl/perl-5.34.0-r2.ebuild | 818 ++++++++++++++++++++++++++++++++++++ 1 file changed, 818 insertions(+) (In reply to John Helmert III from comment #4) > (In reply to Kerin Millar from comment #3) > > Sorry, disregard the request concerning perl-core/Encode. Defining the > > minimum required version by way of the use keyword does nothing to prevent a > > potential exploit. > > perl-core/Encode is going to be removed in a few days anyway: > > https://github.com/gentoo/gentoo/blob/master/profiles/package.mask#L325 ... maybe not! :) OK this should be worked-around for ~arch. (The perl-core package overshadows the one inside dev-lang/perl.) Stabilization of dev-lang/perl-5.34.0-r2 perl-core/Encode-3.120.0 virtual/perl-Encode-3.120.0 can follow in a few days. (In reply to Andreas K. Hüttel from comment #8) > OK this should be worked-around for ~arch. > > (The perl-core package overshadows the one inside dev-lang/perl.) > > Stabilization of > dev-lang/perl-5.34.0-r2 > perl-core/Encode-3.120.0 > virtual/perl-Encode-3.120.0 > > can follow in a few days. Thanks! Please cleanup. Cleanup done Unable to check for sanity:
> no match for package: dev-lang/perl-5.34.0-r2
|