* [PATCH v3 0/1] fix CVE-2021-36770 for perl
@ 2021-09-10 3:16 kai
2021-09-10 3:16 ` [PATCH v3 1/1] perl: fix CVE-2021-36770 kai
0 siblings, 1 reply; 4+ messages in thread
From: kai @ 2021-09-10 3:16 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
v3:
* add 'CVE:' tag in commit message
Kai Kang (1):
perl: fix CVE-2021-36770
.../perl/files/CVE-2021-36770.patch | 49 +++++++++++++++++++
meta/recipes-devtools/perl/perl_5.34.0.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2021-36770.patch
--
2.17.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v3 1/1] perl: fix CVE-2021-36770
2021-09-10 3:16 [PATCH v3 0/1] fix CVE-2021-36770 for perl kai
@ 2021-09-10 3:16 ` kai
2021-09-10 4:02 ` [OE-core] " Anuj Mittal
0 siblings, 1 reply; 4+ messages in thread
From: kai @ 2021-09-10 3:16 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2021-36770.
CVE: CVE-2021-36770
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../perl/files/CVE-2021-36770.patch | 49 +++++++++++++++++++
meta/recipes-devtools/perl/perl_5.34.0.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2021-36770.patch
diff --git a/meta/recipes-devtools/perl/files/CVE-2021-36770.patch b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
new file mode 100644
index 0000000000..28bc457b86
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
@@ -0,0 +1,49 @@
+Backport patch to fix CVE-2021-36770.
+
+Upstream-Status: Backport [https://github.com/Perl/perl5/commit/c1a937f]
+CVE: CVE-2021-36770
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00 2001
+From: Ricardo Signes <rjbs@semiotic.systems>
+Date: Mon, 9 Aug 2021 08:14:05 -0400
+Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770
+
+I expect Encode to see a new release today.
+
+Without this fix, Encode::ConfigLocal can be loaded from a path relative
+to the current directory, because the || operator will evaluate @INC in
+scalar context, putting an integer as the only value in @INC.
+---
+ cpan/Encode/Encode.pm | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm
+index a56a99947f..b96a850416 100644
+--- a/cpan/Encode/Encode.pm
++++ b/cpan/Encode/Encode.pm
+@@ -7,7 +7,8 @@ use warnings;
+ use constant DEBUG => !!$ENV{PERL_ENCODE_DEBUG};
+ our $VERSION;
+ BEGIN {
+- $VERSION = sprintf "%d.%02d", q$Revision: 3.08 $ =~ /(\d+)/g;
++ $VERSION = "3.10_01";
++ $VERSION = eval $VERSION;
+ require XSLoader;
+ XSLoader::load( __PACKAGE__, $VERSION );
+ }
+@@ -65,8 +66,8 @@ require Encode::Config;
+ eval {
+ local $SIG{__DIE__};
+ local $SIG{__WARN__};
+- local @INC = @INC || ();
+- pop @INC if $INC[-1] eq '.';
++ local @INC = @INC;
++ pop @INC if @INC && $INC[-1] eq '.';
+ require Encode::ConfigLocal;
+ };
+
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb b/meta/recipes-devtools/perl/perl_5.34.0.bb
index ab19a8d0be..0e0fe7f985 100644
--- a/meta/recipes-devtools/perl/perl_5.34.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://perl-dynloader.patch \
file://0002-Constant-Fix-up-shebang.patch \
file://determinism.patch \
+ file://CVE-2021-36770.patch \
"
SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH v3 1/1] perl: fix CVE-2021-36770
2021-09-10 3:16 ` [PATCH v3 1/1] perl: fix CVE-2021-36770 kai
@ 2021-09-10 4:02 ` Anuj Mittal
2021-09-10 5:00 ` kai
0 siblings, 1 reply; 4+ messages in thread
From: Anuj Mittal @ 2021-09-10 4:02 UTC (permalink / raw)
To: kai.kang, openembedded-core
On Fri, 2021-09-10 at 11:16 +0800, kai wrote:
> From: Kai Kang <kai.kang@windriver.com>
>
> Backport patch to fix CVE-2021-36770.
>
> CVE: CVE-2021-36770
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
> .../perl/files/CVE-2021-36770.patch | 49
> +++++++++++++++++++
> meta/recipes-devtools/perl/perl_5.34.0.bb | 1 +
> 2 files changed, 50 insertions(+)
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2021-
> 36770.patch
>
> diff --git a/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
> b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
> new file mode 100644
> index 0000000000..28bc457b86
> --- /dev/null
> +++ b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
> @@ -0,0 +1,49 @@
> +Backport patch to fix CVE-2021-36770.
> +
> +Upstream-Status: Backport
> [https://github.com/Perl/perl5/commit/c1a937f]
> +CVE: CVE-2021-36770
> +
> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
> +
> +From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00
> 2001
> +From: Ricardo Signes <rjbs@semiotic.systems>
> +Date: Mon, 9 Aug 2021 08:14:05 -0400
> +Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770
> +
> +I expect Encode to see a new release today.
> +
> +Without this fix, Encode::ConfigLocal can be loaded from a path
> relative
> +to the current directory, because the || operator will evaluate @INC
> in
> +scalar context, putting an integer as the only value in @INC.
> +---
> + cpan/Encode/Encode.pm | 7 ++++---
> + 1 file changed, 4 insertions(+), 3 deletions(-)
> +
> +diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm
> +index a56a99947f..b96a850416 100644
> +--- a/cpan/Encode/Encode.pm
> ++++ b/cpan/Encode/Encode.pm
> +@@ -7,7 +7,8 @@ use warnings;
> + use constant DEBUG => !!$ENV{PERL_ENCODE_DEBUG};
> + our $VERSION;
> + BEGIN {
> +- $VERSION = sprintf "%d.%02d", q$Revision: 3.08 $ =~ /(\d+)/g;
> ++ $VERSION = "3.10_01";
> ++ $VERSION = eval $VERSION;
This is changing the version of Encode without having the changes.
Perhaps this part should be dropped as it doesn't look relevant to the
fix ...
Thanks,
Anuj
> + require XSLoader;
> + XSLoader::load( __PACKAGE__, $VERSION );
> + }
> +@@ -65,8 +66,8 @@ require Encode::Config;
> + eval {
> + local $SIG{__DIE__};
> + local $SIG{__WARN__};
> +- local @INC = @INC || ();
> +- pop @INC if $INC[-1] eq '.';
> ++ local @INC = @INC;
> ++ pop @INC if @INC && $INC[-1] eq '.';
> + require Encode::ConfigLocal;
> + };
> +
> +--
> +2.33.0
> +
> diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb
> b/meta/recipes-devtools/perl/perl_5.34.0.bb
> index ab19a8d0be..0e0fe7f985 100644
> --- a/meta/recipes-devtools/perl/perl_5.34.0.bb
> +++ b/meta/recipes-devtools/perl/perl_5.34.0.bb
> @@ -17,6 +17,7 @@ SRC_URI =
> "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
> file://perl-dynloader.patch \
> file://0002-Constant-Fix-up-shebang.patch \
> file://determinism.patch \
> + file://CVE-2021-36770.patch \
> "
> SRC_URI:append:class-native = " \
> file://perl-configpm-switch.patch \
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH v3 1/1] perl: fix CVE-2021-36770
2021-09-10 4:02 ` [OE-core] " Anuj Mittal
@ 2021-09-10 5:00 ` kai
0 siblings, 0 replies; 4+ messages in thread
From: kai @ 2021-09-10 5:00 UTC (permalink / raw)
To: Mittal, Anuj, openembedded-core
On 9/10/21 12:02 PM, Mittal, Anuj wrote:
> On Fri, 2021-09-10 at 11:16 +0800, kai wrote:
>> From: Kai Kang <kai.kang@windriver.com>
>>
>> Backport patch to fix CVE-2021-36770.
>>
>> CVE: CVE-2021-36770
>>
>> Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> ---
>> .../perl/files/CVE-2021-36770.patch | 49
>> +++++++++++++++++++
>> meta/recipes-devtools/perl/perl_5.34.0.bb | 1 +
>> 2 files changed, 50 insertions(+)
>> create mode 100644 meta/recipes-devtools/perl/files/CVE-2021-
>> 36770.patch
>>
>> diff --git a/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
>> b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
>> new file mode 100644
>> index 0000000000..28bc457b86
>> --- /dev/null
>> +++ b/meta/recipes-devtools/perl/files/CVE-2021-36770.patch
>> @@ -0,0 +1,49 @@
>> +Backport patch to fix CVE-2021-36770.
>> +
>> +Upstream-Status: Backport
>> [https://github.com/Perl/perl5/commit/c1a937f]
>> +CVE: CVE-2021-36770
>> +
>> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> +
>> +From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00
>> 2001
>> +From: Ricardo Signes <rjbs@semiotic.systems>
>> +Date: Mon, 9 Aug 2021 08:14:05 -0400
>> +Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770
>> +
>> +I expect Encode to see a new release today.
>> +
>> +Without this fix, Encode::ConfigLocal can be loaded from a path
>> relative
>> +to the current directory, because the || operator will evaluate @INC
>> in
>> +scalar context, putting an integer as the only value in @INC.
>> +---
>> + cpan/Encode/Encode.pm | 7 ++++---
>> + 1 file changed, 4 insertions(+), 3 deletions(-)
>> +
>> +diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm
>> +index a56a99947f..b96a850416 100644
>> +--- a/cpan/Encode/Encode.pm
>> ++++ b/cpan/Encode/Encode.pm
>> +@@ -7,7 +7,8 @@ use warnings;
>> + use constant DEBUG => !!$ENV{PERL_ENCODE_DEBUG};
>> + our $VERSION;
>> + BEGIN {
>> +- $VERSION = sprintf "%d.%02d", q$Revision: 3.08 $ =~ /(\d+)/g;
>> ++ $VERSION = "3.10_01";
>> ++ $VERSION = eval $VERSION;
> This is changing the version of Encode without having the changes.
> Perhaps this part should be dropped as it doesn't look relevant to the
> fix ...
OK.
Regards,
Kai
>
> Thanks,
>
> Anuj
>
>> + require XSLoader;
>> + XSLoader::load( __PACKAGE__, $VERSION );
>> + }
>> +@@ -65,8 +66,8 @@ require Encode::Config;
>> + eval {
>> + local $SIG{__DIE__};
>> + local $SIG{__WARN__};
>> +- local @INC = @INC || ();
>> +- pop @INC if $INC[-1] eq '.';
>> ++ local @INC = @INC;
>> ++ pop @INC if @INC && $INC[-1] eq '.';
>> + require Encode::ConfigLocal;
>> + };
>> +
>> +--
>> +2.33.0
>> +
>> diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb
>> b/meta/recipes-devtools/perl/perl_5.34.0.bb
>> index ab19a8d0be..0e0fe7f985 100644
>> --- a/meta/recipes-devtools/perl/perl_5.34.0.bb
>> +++ b/meta/recipes-devtools/perl/perl_5.34.0.bb
>> @@ -17,6 +17,7 @@ SRC_URI =
>> "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
>> file://perl-dynloader.patch \
>> file://0002-Constant-Fix-up-shebang.patch \
>> file://determinism.patch \
>> + file://CVE-2021-36770.patch \
>> "
>> SRC_URI:append:class-native = " \
>> file://perl-configpm-switch.patch \
>>
>>
>>
--
Kai Kang
Wind River Linux
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-10 5:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-10 3:16 [PATCH v3 0/1] fix CVE-2021-36770 for perl kai
2021-09-10 3:16 ` [PATCH v3 1/1] perl: fix CVE-2021-36770 kai
2021-09-10 4:02 ` [OE-core] " Anuj Mittal
2021-09-10 5:00 ` kai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.