MGASA-2021-0527 - Updated perl/perl-Encode packages fix security vulnerability

Publication date: 02 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0527.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-36770

Encode.pm, as distributed in Perl through 5.34.0, allows local users to
gain privileges via a Trojan horse Encode::ConfigLocal library (in the
current working directory) that preempts dynamic module loading.
Exploitation requires an unusual configuration, and certain 2021 versions
of Encode.pm (3.05 through 3.11). This issue occurs because the || operator
evaluates @INC in a scalar context, and thus @INC has only an integer value.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29352
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
- https://ubuntu.com/security/notices/USN-5033-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770

SRPMS:
- 8/core/perl-5.32.1-1.1.mga8
- 8/core/perl-Encode-3.80.0-1.1.mga8