Bug 1188467 - (CVE-2021-36770) VUL-1: CVE-2021-36770: perl: Encode module INC injection
(CVE-2021-36770)
VUL-1: CVE-2021-36770: perl: Encode module INC injection
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Michael Schröder
Security Team bot
https://smash.suse.de/issue/304526/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-19 13:36 UTC by Marcus Meissner
Modified: 2021-12-07 09:15 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-07-19 13:36:59 UTC
CVE-2021-36770

via security@suse.de

CRD: 2021-08-09

From: Ricardo Signes <rjbs@semiotic.systems>
Cc: perl-security@perl.org
Subject: vulnerability in Perl's "Encode" module, CVE-2021-36770

Hello, vendor security contact.

I am writing to disclose a vulnerability in the "Encode" library that is both shipped with Perl 5 and available separately.  This vulnerability is CVE-2021-36770.

*Overview*

Because of a bug in local configuration loading, Encode can be made to run arbitrary Perl code placed under the current working directory.  No privilege escalation is inherent in this defect.  A patch is included below and also attached.

*Embargo*

The patch included below will be applied publicly, in *three weeks*, on *August 9th*.  Please do not make a public disclosure of this defect until then. 

*Details*

Version 3.05 of Encode, released 2020-03-18 and bundled with perl v5.32 and v5.34, included this patch:
 eval {
     local $SIG{__DIE__};
     local $SIG{__WARN__};
-    local @INC = @INC;
+    local @INC = @INC || ();
     pop @INC if $INC[-1] eq '.';
     require Encode::ConfigLocal;
 };

The new line's use of the || operator caused @INC to be evaluated in scalar context, which would unconditionally replace the module load path with a predictable integer.  Then Encode/ConfigureLocal.pm would be loaded from that single directory, if it existed.  An attacker could predict that integer (or guess at many at once, as it was likely to be small) and put the code of their choice in place.

*Patch*

diff --git a/Encode.pm b/Encode.pm
index a56a999..9691382 100644
--- a/Encode.pm
+++ b/Encode.pm
@@ -65,8 +65,8 @@ require Encode::Config;
 eval {
     local $SIG{__DIE__};
     local $SIG{__WARN__};
-    local @INC = @INC || ();
-    pop @INC if $INC[-1] eq '.';
+    local @INC = @INC;
+    pop @INC if @INC && $INC[-1] eq '.';
     require Encode::ConfigLocal;
 };

The intent of the change was to suppress a warning when @INC was empty, and it accidentally did have that effect, but also created this bug.  The new fix avoids the warning by checking that @INC is not empty instead.

Again, the embargo date is *August 9th*.  You can reply to this email if you have any questions.

-- 
rjbs
perl security team
Comment 1 Marcus Meissner 2021-07-19 13:40:36 UTC
this seems to be only in factory perl?
Comment 2 Michael Schröder 2021-07-19 13:43:36 UTC
That seems to be the case.
Comment 3 Marcus Meissner 2021-08-11 11:06:31 UTC
is public now
Comment 4 Marcus Meissner 2021-12-07 09:15:02 UTC
not affecting SLES