Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807307 (CVE-2021-36770) - <dev-lang/perl-5.34.0-r2, <perl-core/Encode-3.120: Encode.pm loads code from outside expected @INC (CVE-2021-36770)
Summary: <dev-lang/perl-5.34.0-r2, <perl-core/Encode-3.120: Encode.pm loads code from ...
Status: IN_PROGRESS
Alias: CVE-2021-36770
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://marc.info/?l=perl5-porters&m=...
Whiteboard: A4 [glsa?]
Keywords:
Depends on: 812065
Blocks:
  Show dependency tree
 
Reported: 2021-08-09 13:14 UTC by Kerin Millar
Modified: 2021-10-23 16:20 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/perl-5.34.0-r2 * perl-core/Encode-3.120.0 * virtual/perl-Encode-3.120.0 *
Runtime testing required: ---
nattka: sanity-check-


Attachments
0001-mitigate-INC-pollution-when-loading-ConfigLocal.patch (0001-mitigate-INC-pollution-when-loading-ConfigLocal.patch,693 bytes, patch)
2021-08-09 13:19 UTC, Kerin Millar
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kerin Millar 2021-08-09 13:14:02 UTC
Encode >=3.05 contains a bug whereby the contents of @INC are replaced with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one "require". This affects >=dev-lang/perl-5.32. For further details, please refer to https://marc.info/?l=perl5-porters&m=162851211513224&w=2.
Comment 1 Kerin Millar 2021-08-09 13:19:49 UTC
Created attachment 731848 [details, diff]
0001-mitigate-INC-pollution-when-loading-ConfigLocal.patch
Comment 2 Kerin Millar 2021-08-09 16:26:15 UTC
Here's the proper patch from blead: https://github.com/Perl/perl5/commit/c1a937f. It's also fixed by Encode 3.12.

Note to Perl team: please consider also updating perl-core/Encode. The reason is that it would allow for Perl application developers to write "use Encode 3.12" in their applications as a safety guarantee, while also allowing for that version requirement to be satisfied in Gentoo without either a) waiting for Perl 5.36 b) installing dual-life modules outside of the purview of portage.
Comment 3 Kerin Millar 2021-08-09 16:47:38 UTC
Sorry, disregard the request concerning perl-core/Encode. Defining the minimum required version by way of the use keyword does nothing to prevent a potential exploit.
Comment 4 John Helmert III gentoo-dev Security 2021-08-10 01:51:08 UTC
(In reply to Kerin Millar from comment #3)
> Sorry, disregard the request concerning perl-core/Encode. Defining the
> minimum required version by way of the use keyword does nothing to prevent a
> potential exploit.

perl-core/Encode is going to be removed in a few days anyway:

https://github.com/gentoo/gentoo/blob/master/profiles/package.mask#L325
Comment 5 Larry the Git Cow gentoo-dev 2021-08-10 22:39:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d45a0ad477f194c2820a8077c0ba158dc841bb8

commit 1d45a0ad477f194c2820a8077c0ba158dc841bb8
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-08-10 22:38:23 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-08-10 22:39:17 +0000

    virtual/perl-Encode: Add virtual for Encode 3.12
    
    Bug: https://bugs.gentoo.org/807307
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 virtual/perl-Encode/perl-Encode-3.120.0.ebuild | 13 +++++++++++++
 1 file changed, 13 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5274cece5e2e20afdbb66872ae1849fe25cee420

commit 5274cece5e2e20afdbb66872ae1849fe25cee420
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-08-10 22:36:40 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-08-10 22:39:14 +0000

    perl-core/Encode: Add perl-core package
    
    Bug: https://bugs.gentoo.org/807307
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 perl-core/Encode/Encode-2.730.0.ebuild    | 17 -----------------
 perl-core/Encode/Encode-3.120.0.ebuild    | 15 +++++++++++++++
 perl-core/Encode/Manifest                 |  2 +-
 perl-core/Encode/files/gentoo_enc2xs.diff |  4 ++--
 perl-core/Encode/metadata.xml             | 31 -------------------------------
 5 files changed, 18 insertions(+), 51 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2021-08-10 22:44:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fef27940b8bbeaf2a8fc94153aca89ece36788cc

commit fef27940b8bbeaf2a8fc94153aca89ece36788cc
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-08-10 22:43:45 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-08-10 22:43:45 +0000

    dev-lang/perl: revbump which enforces recent virtual/perl-Encode
    
    Bug: https://bugs.gentoo.org/807307
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 dev-lang/perl/perl-5.34.0-r2.ebuild | 818 ++++++++++++++++++++++++++++++++++++
 1 file changed, 818 insertions(+)
Comment 7 John Helmert III gentoo-dev Security 2021-08-10 22:45:11 UTC
(In reply to John Helmert III from comment #4)
> (In reply to Kerin Millar from comment #3)
> > Sorry, disregard the request concerning perl-core/Encode. Defining the
> > minimum required version by way of the use keyword does nothing to prevent a
> > potential exploit.
> 
> perl-core/Encode is going to be removed in a few days anyway:
> 
> https://github.com/gentoo/gentoo/blob/master/profiles/package.mask#L325

... maybe not! :)
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2021-08-10 22:46:46 UTC
OK this should be worked-around for ~arch. 

(The perl-core package overshadows the one inside dev-lang/perl.)

Stabilization of 
  dev-lang/perl-5.34.0-r2
  perl-core/Encode-3.120.0
  virtual/perl-Encode-3.120.0

can follow in a few days.
Comment 9 John Helmert III gentoo-dev Security 2021-08-10 22:49:39 UTC
(In reply to Andreas K. Hüttel from comment #8)
> OK this should be worked-around for ~arch. 
> 
> (The perl-core package overshadows the one inside dev-lang/perl.)
> 
> Stabilization of 
>   dev-lang/perl-5.34.0-r2
>   perl-core/Encode-3.120.0
>   virtual/perl-Encode-3.120.0
> 
> can follow in a few days.

Thanks!
Comment 10 John Helmert III gentoo-dev Security 2021-10-06 12:56:59 UTC
Please cleanup.
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2021-10-16 19:43:41 UTC
Cleanup done
Comment 12 NATTkA bot gentoo-dev 2021-10-23 16:20:31 UTC
Unable to check for sanity:

> no match for package: dev-lang/perl-5.34.0-r2