blob: 1ef548b305f2b606ae1ae2287f9b9bfe04e39c43 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
Backport patch to fix CVE-2021-36770. And drop the section of code which
updates version.
Upstream-Status: Backport [https://github.com/Perl/perl5/commit/c1a937f]
CVE: CVE-2021-36770
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00 2001
From: Ricardo Signes <rjbs@semiotic.systems>
Date: Mon, 9 Aug 2021 08:14:05 -0400
Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770
I expect Encode to see a new release today.
Without this fix, Encode::ConfigLocal can be loaded from a path relative
to the current directory, because the || operator will evaluate @INC in
scalar context, putting an integer as the only value in @INC.
---
cpan/Encode/Encode.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm
index a56a99947f..b96a850416 100644
--- a/cpan/Encode/Encode.pm
+++ b/cpan/Encode/Encode.pm
@@ -65,8 +66,8 @@ require Encode::Config;
eval {
local $SIG{__DIE__};
local $SIG{__WARN__};
- local @INC = @INC || ();
- pop @INC if $INC[-1] eq '.';
+ local @INC = @INC;
+ pop @INC if @INC && $INC[-1] eq '.';
require Encode::ConfigLocal;
};
--
2.33.0
|
