Your submission was sent successfully! Close

CVE-2021-36770

Published: 09 August 2021

Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
libencode-perl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Needed

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.02-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2.96-1)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(out of standard support)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

perl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri)
Released (5.32.1-3ubuntu3)
Ubuntu 21.04 (Hirsute Hippo)
Released (5.32.1-3ubuntu2.1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.30.0-9ubuntu0.2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.26.1-6ubuntu0.5)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9