Encode >=3.05 contains a bug whereby the contents of @INC are replaced with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one "require". This affects >=dev-lang/perl-5.32. For further details, please refer to https://marc.info/?l=perl5-porters&m=162851211513224&w=2.
Created attachment 731848 [details, diff] 0001-mitigate-INC-pollution-when-loading-ConfigLocal.patch
Here's the proper patch from blead: https://github.com/Perl/perl5/commit/c1a937f. It's also fixed by Encode 3.12. Note to Perl team: please consider also updating perl-core/Encode. The reason is that it would allow for Perl application developers to write "use Encode 3.12" in their applications as a safety guarantee, while also allowing for that version requirement to be satisfied in Gentoo without either a) waiting for Perl 5.36 b) installing dual-life modules outside of the purview of portage.
Sorry, disregard the request concerning perl-core/Encode. Defining the minimum required version by way of the use keyword does nothing to prevent a potential exploit.
(In reply to Kerin Millar from comment #3) > Sorry, disregard the request concerning perl-core/Encode. Defining the > minimum required version by way of the use keyword does nothing to prevent a > potential exploit. perl-core/Encode is going to be removed in a few days anyway: https://github.com/gentoo/gentoo/blob/master/profiles/package.mask#L325
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d45a0ad477f194c2820a8077c0ba158dc841bb8 commit 1d45a0ad477f194c2820a8077c0ba158dc841bb8 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-08-10 22:38:23 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-08-10 22:39:17 +0000 virtual/perl-Encode: Add virtual for Encode 3.12 Bug: https://bugs.gentoo.org/807307 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> virtual/perl-Encode/perl-Encode-3.120.0.ebuild | 13 +++++++++++++ 1 file changed, 13 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5274cece5e2e20afdbb66872ae1849fe25cee420 commit 5274cece5e2e20afdbb66872ae1849fe25cee420 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-08-10 22:36:40 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-08-10 22:39:14 +0000 perl-core/Encode: Add perl-core package Bug: https://bugs.gentoo.org/807307 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> perl-core/Encode/Encode-2.730.0.ebuild | 17 ----------------- perl-core/Encode/Encode-3.120.0.ebuild | 15 +++++++++++++++ perl-core/Encode/Manifest | 2 +- perl-core/Encode/files/gentoo_enc2xs.diff | 4 ++-- perl-core/Encode/metadata.xml | 31 ------------------------------- 5 files changed, 18 insertions(+), 51 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fef27940b8bbeaf2a8fc94153aca89ece36788cc commit fef27940b8bbeaf2a8fc94153aca89ece36788cc Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-08-10 22:43:45 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-08-10 22:43:45 +0000 dev-lang/perl: revbump which enforces recent virtual/perl-Encode Bug: https://bugs.gentoo.org/807307 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> dev-lang/perl/perl-5.34.0-r2.ebuild | 818 ++++++++++++++++++++++++++++++++++++ 1 file changed, 818 insertions(+)
(In reply to John Helmert III from comment #4) > (In reply to Kerin Millar from comment #3) > > Sorry, disregard the request concerning perl-core/Encode. Defining the > > minimum required version by way of the use keyword does nothing to prevent a > > potential exploit. > > perl-core/Encode is going to be removed in a few days anyway: > > https://github.com/gentoo/gentoo/blob/master/profiles/package.mask#L325 ... maybe not! :)
OK this should be worked-around for ~arch. (The perl-core package overshadows the one inside dev-lang/perl.) Stabilization of dev-lang/perl-5.34.0-r2 perl-core/Encode-3.120.0 virtual/perl-Encode-3.120.0 can follow in a few days.
(In reply to Andreas K. Hüttel from comment #8) > OK this should be worked-around for ~arch. > > (The perl-core package overshadows the one inside dev-lang/perl.) > > Stabilization of > dev-lang/perl-5.34.0-r2 > perl-core/Encode-3.120.0 > virtual/perl-Encode-3.120.0 > > can follow in a few days. Thanks!
Please cleanup.
Cleanup done
Unable to check for sanity: > no match for package: dev-lang/perl-5.34.0-r2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=06b1665a387d4d7cb73b9b91b99b6ed644d013ed commit 06b1665a387d4d7cb73b9b91b99b6ed644d013ed Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-11-17 09:51:20 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-11-17 09:51:58 +0000 [ GLSA 202411-09 ] Perl: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/807307 Bug: https://bugs.gentoo.org/905296 Bug: https://bugs.gentoo.org/918612 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202411-09.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)