On Fri, 2021-09-10 at 11:16 +0800, kai wrote:
> From: Kai Kang <[email protected]>
>
> Backport patch to fix CVE-2021-36770.
>
> CVE: CVE-2021-36770
>
> Signed-off-by: Kai Kang <[email protected]>
> ---
> .../perl/files/CVE-2021-36770.patch | 49
> +++++++++++++++++++
> meta/recipes-devtools/perl/perl_5.34.0.bb | 1 +
> 2 files changed, 50 insertions(+)
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2021-
> 36770.patch
>
> diff --git a/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
> b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
> new file mode 100644
> index 0000000000..28bc457b86
> --- /dev/null
> +++ b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
> @@ -0,0 +1,49 @@
> +Backport patch to fix CVE-2021-36770.
> +
> +Upstream-Status: Backport
> [https://github.com/Perl/perl5/commit/c1a937f]
> +CVE: CVE-2021-36770
> +
> +Signed-off-by: Kai Kang <[email protected]>
> +
> +From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00
> 2001
> +From: Ricardo Signes <[email protected]>
> +Date: Mon, 9 Aug 2021 08:14:05 -0400
> +Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770
> +
> +I expect Encode to see a new release today.
> +
> +Without this fix, Encode::ConfigLocal can be loaded from a path
> relative
> +to the current directory, because the || operator will evaluate @INC
> in
> +scalar context, putting an integer as the only value in @INC.
> +---
> + cpan/Encode/Encode.pm | 7 ++++---
> + 1 file changed, 4 insertions(+), 3 deletions(-)
> +
> +diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm
> +index a56a99947f..b96a850416 100644
> +--- a/cpan/Encode/Encode.pm
> ++++ b/cpan/Encode/Encode.pm
> +@@ -7,7 +7,8 @@ use warnings;
> + use constant DEBUG => !!$ENV{PERL_ENCODE_DEBUG};
> + our $VERSION;
> + BEGIN {
> +- $VERSION = sprintf "%d.%02d", q$Revision: 3.08 $ =~ /(\d+)/g;
> ++ $VERSION = "3.10_01";
> ++ $VERSION = eval $VERSION;
This is changing the version of Encode without having the changes.
Perhaps this part should be dropped as it doesn't look relevant to the
fix ...
Thanks,
Anuj
> + require XSLoader;
> + XSLoader::load( __PACKAGE__, $VERSION );
> + }
> +@@ -65,8 +66,8 @@ require Encode::Config;
> + eval {
> + local $SIG{__DIE__};
> + local $SIG{__WARN__};
> +- local @INC = @INC || ();
> +- pop @INC if $INC[-1] eq '.';
> ++ local @INC = @INC;
> ++ pop @INC if @INC && $INC[-1] eq '.';
> + require Encode::ConfigLocal;
> + };
> +
> +--
> +2.33.0
> +
> diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb
> b/meta/recipes-devtools/perl/perl_5.34.0.bb
> index ab19a8d0be..0e0fe7f985 100644
> --- a/meta/recipes-devtools/perl/perl_5.34.0.bb
> +++ b/meta/recipes-devtools/perl/perl_5.34.0.bb
> @@ -17,6 +17,7 @@ SRC_URI =
> "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
> file://perl-dynloader.patch \
> file://0002-Constant-Fix-up-shebang.patch \
> file://determinism.patch \
> + file://CVE-2021-36770.patch \
> "
> SRC_URI:append:class-native = " \
> file://perl-configpm-switch.patch \
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#155888):
https://lists.openembedded.org/g/openembedded-core/message/155888
Mute This Topic: https://lists.openembedded.org/mt/85501706/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
