On 9/10/21 12:02 PM, Mittal, Anuj wrote:
On Fri, 2021-09-10 at 11:16 +0800, kai wrote:
From: Kai Kang <kai.k...@windriver.com>
Backport patch to fix CVE-2021-36770.
CVE: CVE-2021-36770
Signed-off-by: Kai Kang <kai.k...@windriver.com>
---
.../perl/files/CVE-2021-36770.patch | 49
+++++++++++++++++++
meta/recipes-devtools/perl/perl_5.34.0.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2021-
36770.patch
diff --git a/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
new file mode 100644
index 0000000000..28bc457b86
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
@@ -0,0 +1,49 @@
+Backport patch to fix CVE-2021-36770.
+
+Upstream-Status: Backport
[https://github.com/Perl/perl5/commit/c1a937f]
+CVE: CVE-2021-36770
+
+Signed-off-by: Kai Kang <kai.k...@windriver.com>
+
+From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00
2001
+From: Ricardo Signes <rjbs@semiotic.systems>
+Date: Mon, 9 Aug 2021 08:14:05 -0400
+Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770
+
+I expect Encode to see a new release today.
+
+Without this fix, Encode::ConfigLocal can be loaded from a path
relative
+to the current directory, because the || operator will evaluate @INC
in
+scalar context, putting an integer as the only value in @INC.
+---
+ cpan/Encode/Encode.pm | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm
+index a56a99947f..b96a850416 100644
+--- a/cpan/Encode/Encode.pm
++++ b/cpan/Encode/Encode.pm
+@@ -7,7 +7,8 @@ use warnings;
+ use constant DEBUG => !!$ENV{PERL_ENCODE_DEBUG};
+ our $VERSION;
+ BEGIN {
+- $VERSION = sprintf "%d.%02d", q$Revision: 3.08 $ =~ /(\d+)/g;
++ $VERSION = "3.10_01";
++ $VERSION = eval $VERSION;
This is changing the version of Encode without having the changes.
Perhaps this part should be dropped as it doesn't look relevant to the
fix ...
OK.
Regards,
Kai
Thanks,
Anuj
+ require XSLoader;
+ XSLoader::load( __PACKAGE__, $VERSION );
+ }
+@@ -65,8 +66,8 @@ require Encode::Config;
+ eval {
+ local $SIG{__DIE__};
+ local $SIG{__WARN__};
+- local @INC = @INC || ();
+- pop @INC if $INC[-1] eq '.';
++ local @INC = @INC;
++ pop @INC if @INC && $INC[-1] eq '.';
+ require Encode::ConfigLocal;
+ };
+
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb
b/meta/recipes-devtools/perl/perl_5.34.0.bb
index ab19a8d0be..0e0fe7f985 100644
--- a/meta/recipes-devtools/perl/perl_5.34.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.0.bb
@@ -17,6 +17,7 @@ SRC_URI =
"https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://perl-dynloader.patch \
file://0002-Constant-Fix-up-shebang.patch \
file://determinism.patch \
+ file://CVE-2021-36770.patch \
"
SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
--
Kai Kang
Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#155889):
https://lists.openembedded.org/g/openembedded-core/message/155889
Mute This Topic: https://lists.openembedded.org/mt/85501706/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
