CVE-2021-36770
Published: 09 August 2021
Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.
Priority
Medium
CVSS 3 base score: 7.8
Status
| Package | Release | Status |
|---|---|---|
|
libencode-perl Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Needed
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(3.02-1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(2.96-1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(out of standard support)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
perl Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Released
(5.32.1-3ubuntu2.1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(5.30.0-9ubuntu0.2)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(5.26.1-6ubuntu0.5)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
|
|
|
Patches: Upstream: https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9 |
||