Mageia alert MGASA-2021-0527 (perl/perl-Encode)

From:
               Mageia Updates <buildsystem-daemon@mageia.org>
To:
               updates-announce@ml.mageia.org
Subject:
               [updates-announce] MGASA-2021-0527: Updated perl/perl-Encode packages fix security vulnerability
Date:
               Thu, 02 Dec 2021 17:50:18 +0100
Message-ID:
               <20211202165018.457F99F9EC@duvel.mageia.org>
Archive-link:
               Article
MGASA-2021-0527 - Updated perl/perl-Encode packages fix security vulnerability

Publication date: 02 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0527.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-36770

Description:
Encode.pm, as distributed in Perl through 5.34.0, allows local users to
gain privileges via a Trojan horse Encode::ConfigLocal library (in the
current working directory) that preempts dynamic module loading.
Exploitation requires an unusual configuration, and certain 2021 versions
of Encode.pm (3.05 through 3.11). This issue occurs because the || operator
evaluates @INC in a scalar context, and thus @INC has only an integer value.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29352
-
https://lists.fedoraproject.org/archives/list/package-ann...
- https://ubuntu.com/security/notices/USN-5033-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3...

SRPMS:
- 8/core/perl-5.32.1-1.1.mga8
- 8/core/perl-Encode-3.80.0-1.1.mga8

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2021-0527: Updated perl/perl-Encode packages fix security vulnerability
Date:		Thu, 02 Dec 2021 17:50:18 +0100
Message-ID:		<20211202165018.457F99F9EC@duvel.mageia.org>
Archive-link:		Article