Mageia 2021-0527: perl/perl-Encode security update
Summary
Encode.pm, as distributed in Perl through 5.34.0, allows local users to
gain privileges via a Trojan horse Encode::ConfigLocal library (in the
current working directory) that preempts dynamic module loading.
Exploitation requires an unusual configuration, and certain 2021 versions
of Encode.pm (3.05 through 3.11). This issue occurs because the || operator
evaluates @INC in a scalar context, and thus @INC has only an integer value.
References
- https://bugs.mageia.org/show_bug.cgi?id=29352
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
- https://ubuntu.com/security/notices/USN-5033-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770
Resolution
MGASA-2021-0527 - Updated perl/perl-Encode packages fix security vulnerability
SRPMS
- 8/core/perl-5.32.1-1.1.mga8
- 8/core/perl-Encode-3.80.0-1.1.mga8