Bug 29352 - perl, perl-Encode new security issue CVE-2021-36770
Summary: perl, perl-Encode new security issue CVE-2021-36770
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-08-10 16:07 CEST by David Walser
Modified: 2021-12-02 17:50 CET (History)
7 users (show)

See Also:
Source RPM: perl-5.34.0-2.mga9.src.rpm, perl-Encode-3.110.0-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-08-10 16:07:06 CEST
Ubuntu has issued an advisory on August 9:
https://ubuntu.com/security/notices/USN-5033-1

Mageia 8 is also affected.
David Walser 2021-08-10 16:07:26 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from Ubuntu and upstream

Comment 1 Marja Van Waes 2021-08-10 19:53:45 CEST
Assigning to our Perl stack maintainers.

CC: (none) => marja11
Assignee: bugsquad => perl

Comment 2 David Walser 2021-08-13 14:00:05 CEST
Fedora has issued an advisory for this today (August 13):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
Comment 3 Nicolas Lécureuil 2021-11-26 19:04:46 CET
Fixed in cauldron

Version: Cauldron => 8
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)

Comment 4 Nicolas Lécureuil 2021-11-26 19:11:03 CET
Fixed in mga8

src:
    - perl-5.32.1-1.1.mga8
    - perl-Encode-3.80.0-1.1.mga8

Assignee: perl => qa-bugs
Status comment: Patches available from Ubuntu and upstream => (none)
CC: (none) => perl

Comment 5 David Walser 2021-11-26 21:22:46 CET
RPMS:
perl-doc-5.32.1-1.1.mga8
perl-base-5.32.1-1.1.mga8
perl-devel-5.32.1-1.1.mga8
perl-5.32.1-1.1.mga8
perl-Encode-3.80.0-1.1.mga8
Comment 6 Len Lawrence 2021-11-28 20:24:17 CET
mga8, x64

Installed perl-Encode and hacked together a perl script using sources quoted below.

#!/bin/perl
# https://www.tutorialspoint.com/perl/perl_introduction.htm
# https://perl.developpez.com/documentations/en/5.8.9/Encode.html#PERL-ENCODING-API
use Encode;
use Encode::Alias;
define_alias(newName => ENCODING);

print Encode::resolve_alias("latin1") eq "iso-8859-1";
$message = "\nRumpelstiltskin";
$octets = encode("iso-8859-1", $message);
print "$octets\n";
print Encode::resolve_alias("iso-8859-12"); 
print Encode::resolve_alias($message) eq $message;
my $enc = find_encoding('UTF-8');
warn $enc->name;
warn $enc->mime_name;

$ ./test.pl
1
Rumpelstiltskin
utf-8-strict at ./test.pl line 15.
UTF-8 at ./test.pl line 16.

This looks right but not too sure.

Ran qarepo/MageiaUpdate to install the updates.
$ ./test.pl
1
Rumpelstiltskin
utf-8-strict at ./test.pl line 15.
UTF-8 at ./test.pl line 16.

No changes there so this is probably OK.

CC: (none) => tarazed25

Len Lawrence 2021-11-28 20:25:11 CET

Whiteboard: (none) => MGA8TOO MGA8-64-OK

Comment 7 Thomas Andrews 2021-11-29 21:39:22 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-01 21:59:50 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-12-02 17:50:31 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0527.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.