| Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 1 | Backport patch to fix CVE-2021-36770. And drop the section of code which |
| 2 | updates version. |
| 3 | |
| 4 | Upstream-Status: Backport [https://github.com/Perl/perl5/commit/c1a937f] |
| 5 | CVE: CVE-2021-36770 |
| 6 | |
| 7 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| 8 | |
| 9 | From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00 2001 |
| 10 | From: Ricardo Signes <rjbs@semiotic.systems> |
| 11 | Date: Mon, 9 Aug 2021 08:14:05 -0400 |
| 12 | Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770 |
| 13 | |
| 14 | I expect Encode to see a new release today. |
| 15 | |
| 16 | Without this fix, Encode::ConfigLocal can be loaded from a path relative |
| 17 | to the current directory, because the || operator will evaluate @INC in |
| 18 | scalar context, putting an integer as the only value in @INC. |
| 19 | --- |
| 20 | cpan/Encode/Encode.pm | 4 ++-- |
| 21 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 22 | |
| 23 | diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm |
| 24 | index a56a99947f..b96a850416 100644 |
| 25 | --- a/cpan/Encode/Encode.pm |
| 26 | +++ b/cpan/Encode/Encode.pm |
| 27 | @@ -65,8 +66,8 @@ require Encode::Config; |
| 28 | eval { |
| 29 | local $SIG{__DIE__}; |
| 30 | local $SIG{__WARN__}; |
| 31 | - local @INC = @INC || (); |
| 32 | - pop @INC if $INC[-1] eq '.'; |
| 33 | + local @INC = @INC; |
| 34 | + pop @INC if @INC && $INC[-1] eq '.'; |
| 35 | require Encode::ConfigLocal; |
| 36 | }; |
| 37 | |
| 38 | -- |
| 39 | 2.33.0 |
| 40 | |