MGASA-2021-0527

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0527.html

Import Source

https://advisories.mageia.org/MGASA-2021-0527.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2021-0527

Related

CVE-2021-36770

Published

2021-12-02T16:49:28Z

Modified

2021-12-02T16:14:22Z

Summary

Updated perl/perl-Encode packages fix security vulnerability

Details

Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:8 / perl

Package

Name: perl
Purl: pkg:rpm/mageia/perl?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.32.1-1.1.mga8

Ecosystem specific

{
    "section": "core"
}

Mageia:8 / perl-Encode

Package

Name: perl-Encode
Purl: pkg:rpm/mageia/perl-Encode?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.80.0-1.1.mga8

Ecosystem specific

{
    "section": "core"
}