[OE-core] [PATCH] perl: fix CVE-2021-36770

Thu, 09 Sep 2021 19:28:25 -0700 

From: Kai Kang <kai.k...@windriver.com>

Backport patch to fix CVE-2021-36770.

Signed-off-by: Kai Kang <kai.k...@windriver.com>
---
 .../perl/files/CVE-2021-36770.patch           | 48 +++++++++++++++++++
 meta/recipes-devtools/perl/perl_5.34.0.bb     |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2021-36770.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2021-36770.patch 
b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
new file mode 100644
index 0000000000..ddbc0d8ff4
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
@@ -0,0 +1,48 @@
+Backport patch to fix CVE-2021-36770.
+
+Upstream-Status: Backport [https://github.com/Perl/perl5/commit/c1a937f]
+
+Signed-off-by: Kai Kang <kai.k...@windriver.com>
+
+From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00 2001
+From: Ricardo Signes <rjbs@semiotic.systems>
+Date: Mon, 9 Aug 2021 08:14:05 -0400
+Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770
+
+I expect Encode to see a new release today.
+
+Without this fix, Encode::ConfigLocal can be loaded from a path relative
+to the current directory, because the || operator will evaluate @INC in
+scalar context, putting an integer as the only value in @INC.
+---
+ cpan/Encode/Encode.pm | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm
+index a56a99947f..b96a850416 100644
+--- a/cpan/Encode/Encode.pm
++++ b/cpan/Encode/Encode.pm
+@@ -7,7 +7,8 @@ use warnings;
+ use constant DEBUG => !!$ENV{PERL_ENCODE_DEBUG};
+ our $VERSION;
+ BEGIN {
+-    $VERSION = sprintf "%d.%02d", q$Revision: 3.08 $ =~ /(\d+)/g;
++    $VERSION = "3.10_01";
++    $VERSION = eval $VERSION;
+     require XSLoader;
+     XSLoader::load( __PACKAGE__, $VERSION );
+ }
+@@ -65,8 +66,8 @@ require Encode::Config;
+ eval {
+     local $SIG{__DIE__};
+     local $SIG{__WARN__};
+-    local @INC = @INC || ();
+-    pop @INC if $INC[-1] eq '.';
++    local @INC = @INC;
++    pop @INC if @INC && $INC[-1] eq '.';
+     require Encode::ConfigLocal;
+ };
+ 
+-- 
+2.33.0
+
diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb 
b/meta/recipes-devtools/perl/perl_5.34.0.bb
index ab19a8d0be..0e0fe7f985 100644
--- a/meta/recipes-devtools/perl/perl_5.34.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.0.bb
@@ -17,6 +17,7 @@ SRC_URI = 
"https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
            file://perl-dynloader.patch \
            file://0002-Constant-Fix-up-shebang.patch \
            file://determinism.patch \
+           file://CVE-2021-36770.patch \
            "
 SRC_URI:append:class-native = " \
            file://perl-configpm-switch.patch \
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#155883): 
https://lists.openembedded.org/g/openembedded-core/message/155883
Mute This Topic: https://lists.openembedded.org/mt/85501034/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to