perl: fix CVE-2021-36770

Backport patch to fix CVE-2021-36770. And drop the section of code which updates version. CVE: CVE-2021-36770 (From OE-Core rev: 9a5e0f3ece45529358b6b712e3450a8594f531c6) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2021-09-10 13:58:28 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-11 22:39:19 +0100
commit: d5723cb241b7951aef7c140249541934e16fd115 (patch)
tree: 946570751a87144d60b7e899e6b9b8120d764e38
parent: 457cc45f51e78a532930d0347de271f24ae0a2ee (diff)
download: poky-d5723cb241b7951aef7c140249541934e16fd115.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/files/CVE-2021-36770.patch b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
new file mode 100644
index 0000000000..1ef548b305
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
@@ -0,0 +1,40 @@
+Backport patch to fix CVE-2021-36770. And drop the section of code which
+updates version.
+Upstream-Status: Backport [https://github.com/Perl/perl5/commit/c1a937f]
+CVE: CVE-2021-36770
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00 2001
+From: Ricardo Signes <rjbs@semiotic.systems>
+Date: Mon, 9 Aug 2021 08:14:05 -0400
+Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770
+I expect Encode to see a new release today.
+Without this fix, Encode::ConfigLocal can be loaded from a path relative
+to the current directory, because the || operator will evaluate @INC in
+scalar context, putting an integer as the only value in @INC.
+---
+ cpan/Encode/Encode.pm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm
+index a56a99947f..b96a850416 100644
+--- a/cpan/Encode/Encode.pm
+++ b/cpan/Encode/Encode.pm
+@@ -65,8 +66,8 @@ require Encode::Config;
+ eval {
+     local $SIG{__DIE__};
+     local $SIG{__WARN__};
+-    local @INC = @INC || ();
+-    pop @INC if $INC[-1] eq '.';
+    local @INC = @INC;
+    pop @INC if @INC && $INC[-1] eq '.';
+     require Encode::ConfigLocal;
+ };
+ 
+-- 
+2.33.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb b/meta/recipes-devtools/perl/perl_5.34.0.bb
index ab19a8d0be..0e0fe7f985 100644
--- a/meta/recipes-devtools/perl/perl_5.34.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
           file://perl-dynloader.patch \
           file://0002-Constant-Fix-up-shebang.patch \
           file://determinism.patch \
+           file://CVE-2021-36770.patch \
           "
 SRC_URI:append:class-native = " \
           file://perl-configpm-switch.patch \
author	Kai Kang <kai.kang@windriver.com>	2021-09-10 13:58:28 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-11 22:39:19 +0100
commit	d5723cb241b7951aef7c140249541934e16fd115 (patch)
tree	946570751a87144d60b7e899e6b9b8120d764e38
parent	457cc45f51e78a532930d0347de271f24ae0a2ee (diff)
download	poky-d5723cb241b7951aef7c140249541934e16fd115.tar.gz

diff --git a/meta/recipes-devtools/perl/files/CVE-2021-36770.patch b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch new file mode 100644 index 0000000000..1ef548b305 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
@@ -0,0 +1,40 @@
		1	Backport patch to fix CVE-2021-36770. And drop the section of code which
		2	updates version.
		3
		4	Upstream-Status: Backport [https://github.com/Perl/perl5/commit/c1a937f]
		5	CVE: CVE-2021-36770
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8
		9	From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00 2001
		10	From: Ricardo Signes <rjbs@semiotic.systems>
		11	Date: Mon, 9 Aug 2021 08:14:05 -0400
		12	Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770
		13
		14	I expect Encode to see a new release today.
		15
		16	Without this fix, Encode::ConfigLocal can be loaded from a path relative
		17	to the current directory, because the \|\| operator will evaluate @INC in
		18	scalar context, putting an integer as the only value in @INC.
		19	---
		20	cpan/Encode/Encode.pm \| 4 ++--
		21	1 file changed, 2 insertions(+), 2 deletions(-)
		22
		23	diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm
		24	index a56a99947f..b96a850416 100644
		25	--- a/cpan/Encode/Encode.pm
		26	+++ b/cpan/Encode/Encode.pm
		27	@@ -65,8 +66,8 @@ require Encode::Config;
		28	eval {
		29	local $SIG{__DIE__};
		30	local $SIG{__WARN__};
		31	- local @INC = @INC \|\| ();
		32	- pop @INC if $INC[-1] eq '.';
		33	+ local @INC = @INC;
		34	+ pop @INC if @INC && $INC[-1] eq '.';
		35	require Encode::ConfigLocal;
		36	};
		37
		38	--
		39	2.33.0
		40


diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb b/meta/recipes-devtools/perl/perl_5.34.0.bb index ab19a8d0be..0e0fe7f985 100644 --- a/meta/recipes-devtools/perl/perl_5.34.0.bb +++ b/meta/recipes-devtools/perl/perl_5.34.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
17	file://perl-dynloader.patch \	17	file://perl-dynloader.patch \
18	file://0002-Constant-Fix-up-shebang.patch \	18	file://0002-Constant-Fix-up-shebang.patch \
19	file://determinism.patch \	19	file://determinism.patch \
		20	file://CVE-2021-36770.patch \
20	"	21	"
21	SRC_URI:append:class-native = " \	22	SRC_URI:append:class-native = " \
22	file://perl-configpm-switch.patch \	23	file://perl-configpm-switch.patch \