Advisories » MGASA-2021-0527

Updated perl/perl-Encode packages fix security vulnerability

Publication date: 02 Dec 2021
Modification date: 02 Dec 2021
Type: security
Affected Mageia releases : 8
CVE: CVE-2021-36770

Description

Encode.pm, as distributed in Perl through 5.34.0, allows local users to
gain privileges via a Trojan horse Encode::ConfigLocal library (in the
current working directory) that preempts dynamic module loading.
Exploitation requires an unusual configuration, and certain 2021 versions
of Encode.pm (3.05 through 3.11). This issue occurs because the || operator
evaluates @INC in a scalar context, and thus @INC has only an integer value.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=29352
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
• https://ubuntu.com/security/notices/USN-5033-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770

SRPMS

8/core

• perl-5.32.1-1.1.mga8
• perl-Encode-3.80.0-1.1.mga8