Received: by mail.netbsd.org (Postfix, from userid 605) id 18B1E84E92; Fri, 20 Aug 2021 22:06:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 531BE84D29 for ; Fri, 20 Aug 2021 22:06:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id AMe269R9s3Wk for ; Fri, 20 Aug 2021 22:06:23 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id ABBBD84CEF for ; Fri, 20 Aug 2021 22:06:23 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 9F51DFA97; Fri, 20 Aug 2021 22:06:23 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_162949718382050" MIME-Version: 1.0 Date: Fri, 20 Aug 2021 22:06:23 +0000 From: "Kimmo Suominen" Subject: CVS commit: pkgsrc/lang/perl5 To: pkgsrc-changes@NetBSD.org Reply-To: kim@netbsd.org X-Mailer: log_accum Message-Id: <20210820220623.9F51DFA97@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_162949718382050 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: kim Date: Fri Aug 20 22:06:23 UTC 2021 Modified Files: pkgsrc/lang/perl5: Makefile distinfo Added Files: pkgsrc/lang/perl5/patches: patch-cpan_Encode_Encode.pm Log Message: perl5: Address CVE-2021-36770 To generate a diff of this commit: cvs rdiff -u -r1.271 -r1.272 pkgsrc/lang/perl5/Makefile cvs rdiff -u -r1.171 -r1.172 pkgsrc/lang/perl5/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/lang/perl5/patches/patch-cpan_Encode_Encode.pm Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_162949718382050 Content-Disposition: inline Content-Length: 3120 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/lang/perl5/Makefile diff -u pkgsrc/lang/perl5/Makefile:1.271 pkgsrc/lang/perl5/Makefile:1.272 --- pkgsrc/lang/perl5/Makefile:1.271 Sat May 29 13:04:21 2021 +++ pkgsrc/lang/perl5/Makefile Fri Aug 20 22:06:23 2021 @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.271 2021/05/29 13:04:21 rin Exp $ +# $NetBSD: Makefile,v 1.272 2021/08/20 22:06:23 kim Exp $ -PKGREVISION= 2 +PKGREVISION= 3 .include "license.mk" .include "Makefile.common" Index: pkgsrc/lang/perl5/distinfo diff -u pkgsrc/lang/perl5/distinfo:1.171 pkgsrc/lang/perl5/distinfo:1.172 --- pkgsrc/lang/perl5/distinfo:1.171 Sat May 29 13:04:21 2021 +++ pkgsrc/lang/perl5/distinfo Fri Aug 20 22:06:23 2021 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.171 2021/05/29 13:04:21 rin Exp $ +$NetBSD: distinfo,v 1.172 2021/08/20 22:06:23 kim Exp $ SHA1 (perl-5.34.0.tar.xz) = d461e206a1dca5e79d39e77debf0b564f6d77d37 RMD160 (perl-5.34.0.tar.xz) = ea671a6789db48db0036f763b5068db67be951d0 @@ -8,6 +8,7 @@ SHA1 (patch-Configure) = a72983dba63f32f SHA1 (patch-Makefile.SH) = 56203aea57c429a94760f039a978463b8859b0a9 SHA1 (patch-caretx.c) = b76b4175a58123fa4dfd2adf36b2207dcb6cf65a SHA1 (patch-cflags.SH) = e940e4452768ccc1bdf21d435094e7efffceb925 +SHA1 (patch-cpan_Encode_Encode.pm) = fa49f95e79825a716d4e24995e23cea59a20b7ba SHA1 (patch-cpan_ExtUtils-MakeMaker_lib_ExtUtils_MM__BeOS.pm) = 79e5aeccfa272ca5ec08bffc616d8053ae90ac51 SHA1 (patch-cpan_ExtUtils-MakeMaker_lib_ExtUtils_MM__Unix.pm) = 7b1caaea7327ebf492f8cde6b459286ecf7dd5ad SHA1 (patch-cpan_ExtUtils-MakeMaker_t_MM__BeOS.t) = 9b0e7ab85fdab4887b1754599a8879bd7d9f36cc Added files: Index: pkgsrc/lang/perl5/patches/patch-cpan_Encode_Encode.pm diff -u /dev/null pkgsrc/lang/perl5/patches/patch-cpan_Encode_Encode.pm:1.1 --- /dev/null Fri Aug 20 22:06:23 2021 +++ pkgsrc/lang/perl5/patches/patch-cpan_Encode_Encode.pm Fri Aug 20 22:06:23 2021 @@ -0,0 +1,34 @@ +$NetBSD: patch-cpan_Encode_Encode.pm,v 1.1 2021/08/20 22:06:23 kim Exp $ + +perl5: patch Encode.pm for CVE-2021-36770 + +Without this fix, Encode::ConfigLocal can be loaded from a path relative +to the current directory, because the || operator will evaluate @INC in +scalar context, putting an integer as the only value in @INC. + +Ref: https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9.patch + +--- cpan/Encode/Encode.pm.orig 2021-01-20 23:04:44.000000000 +0000 ++++ cpan/Encode/Encode.pm 2021-08-20 21:36:16.700846398 +0000 +@@ -7,7 +7,9 @@ use warnings; + use constant DEBUG => !!$ENV{PERL_ENCODE_DEBUG}; + our $VERSION; + BEGIN { +- $VERSION = sprintf "%d.%02d", q$Revision: 1.1 $ =~ /(\d+)/g; ++ # $VERSION = sprintf "%d.%02d", q$Revision: 1.1 $ =~ /(\d+)/g; ++ $VERSION = "3.08_01"; ++ $VERSION = eval $VERSION; + require XSLoader; + XSLoader::load( __PACKAGE__, $VERSION ); + } +@@ -65,8 +67,8 @@ require Encode::Config; + eval { + local $SIG{__DIE__}; + local $SIG{__WARN__}; +- local @INC = @INC || (); +- pop @INC if $INC[-1] eq '.'; ++ local @INC = @INC; ++ pop @INC if @INC && $INC[-1] eq '.'; + require Encode::ConfigLocal; + }; + --_----------=_162949718382050--