From: Kai Kang <kai.k...@windriver.com> Backport patch to fix CVE-2021-36770.
Signed-off-by: Kai Kang <kai.k...@windriver.com> --- .../perl/files/CVE-2021-36770.patch | 48 +++++++++++++++++++ meta/recipes-devtools/perl/perl_5.34.0.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-devtools/perl/files/CVE-2021-36770.patch diff --git a/meta/recipes-devtools/perl/files/CVE-2021-36770.patch b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch new file mode 100644 index 0000000000..ddbc0d8ff4 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch @@ -0,0 +1,48 @@ +Backport patch to fix CVE-2021-36770. + +Upstream-Status: Backport [https://github.com/Perl/perl5/commit/c1a937f] + +Signed-off-by: Kai Kang <kai.k...@windriver.com> + +From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00 2001 +From: Ricardo Signes <rjbs@semiotic.systems> +Date: Mon, 9 Aug 2021 08:14:05 -0400 +Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770 + +I expect Encode to see a new release today. + +Without this fix, Encode::ConfigLocal can be loaded from a path relative +to the current directory, because the || operator will evaluate @INC in +scalar context, putting an integer as the only value in @INC. +--- + cpan/Encode/Encode.pm | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm +index a56a99947f..b96a850416 100644 +--- a/cpan/Encode/Encode.pm ++++ b/cpan/Encode/Encode.pm +@@ -7,7 +7,8 @@ use warnings; + use constant DEBUG => !!$ENV{PERL_ENCODE_DEBUG}; + our $VERSION; + BEGIN { +- $VERSION = sprintf "%d.%02d", q$Revision: 3.08 $ =~ /(\d+)/g; ++ $VERSION = "3.10_01"; ++ $VERSION = eval $VERSION; + require XSLoader; + XSLoader::load( __PACKAGE__, $VERSION ); + } +@@ -65,8 +66,8 @@ require Encode::Config; + eval { + local $SIG{__DIE__}; + local $SIG{__WARN__}; +- local @INC = @INC || (); +- pop @INC if $INC[-1] eq '.'; ++ local @INC = @INC; ++ pop @INC if @INC && $INC[-1] eq '.'; + require Encode::ConfigLocal; + }; + +-- +2.33.0 + diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb b/meta/recipes-devtools/perl/perl_5.34.0.bb index ab19a8d0be..0e0fe7f985 100644 --- a/meta/recipes-devtools/perl/perl_5.34.0.bb +++ b/meta/recipes-devtools/perl/perl_5.34.0.bb @@ -17,6 +17,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \ file://perl-dynloader.patch \ file://0002-Constant-Fix-up-shebang.patch \ file://determinism.patch \ + file://CVE-2021-36770.patch \ " SRC_URI:append:class-native = " \ file://perl-configpm-switch.patch \ -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155883): https://lists.openembedded.org/g/openembedded-core/message/155883 Mute This Topic: https://lists.openembedded.org/mt/85501034/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-