Mageia 2021-0527: perl/perl-Encode security update | LinuxSecurity.com

Advisories

MGASA-2021-0527 - Updated perl/perl-Encode packages fix security vulnerability

Publication date: 02 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0527.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-36770

Encode.pm, as distributed in Perl through 5.34.0, allows local users to
gain privileges via a Trojan horse Encode::ConfigLocal library (in the
current working directory) that preempts dynamic module loading.
Exploitation requires an unusual configuration, and certain 2021 versions
of Encode.pm (3.05 through 3.11). This issue occurs because the || operator
evaluates @INC in a scalar context, and thus @INC has only an integer value.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29352
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
- https://ubuntu.com/security/notices/USN-5033-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770

SRPMS:
- 8/core/perl-5.32.1-1.1.mga8
- 8/core/perl-Encode-3.80.0-1.1.mga8

Mageia 2021-0527: perl/perl-Encode security update

Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preem...

Summary

Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.

References

- https://bugs.mageia.org/show_bug.cgi?id=29352

- https://lists.fedoraproject.org/archives/list/[email protected]/thread/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/

- https://ubuntu.com/security/notices/USN-5033-1

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770

Resolution

MGASA-2021-0527 - Updated perl/perl-Encode packages fix security vulnerability

SRPMS

- 8/core/perl-5.32.1-1.1.mga8

- 8/core/perl-Encode-3.80.0-1.1.mga8

Severity
Publication date: 02 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0527.html
Type: security
CVE: CVE-2021-36770

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.