Security Advisories (2)
CVE-2026-4176 (2026-03-29)

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

CVE-2026-8376 (2026-05-25)

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

NAME

Test2::Formatter - Namespace for formatters.

DESCRIPTION

This is the namespace for formatters. This is an empty package.

CREATING FORMATTERS

A formatter is any package or object with a write($event, $num) method.

package Test2::Formatter::Foo;
use strict;
use warnings;

sub write {
    my $self_or_class = shift;
    my ($event, $assert_num) = @_;
    ...
}

sub hide_buffered { 1 }

sub terminate { }

sub finalize { }

sub supports_tables { return $BOOL }

sub new_root {
    my $class = shift;
    ...
    $class->new(@_);
}

1;

The write method is a method, so it either gets a class or instance. The two arguments are the $event object it should record, and the $assert_num which is the number of the current assertion (ok), or the last assertion if this event is not itself an assertion. The assertion number may be any integer 0 or greater, and may be undefined in some cases.

The hide_buffered() method must return a boolean. This is used to tell buffered subtests whether or not to send it events as they are being buffered. See "run_subtest(...)" in Test2::API for more information.

The terminate and finalize methods are optional methods called that you can implement if the format you're generating needs to handle these cases, for example if you are generating XML and need close open tags.

The terminate method is called when an event's terminate method returns true, for example when a Test2::Event::Plan has a 'skip_all' plan, or when a Test2::Event::Bail event is sent. The terminate method is passed a single argument, the Test2::Event object which triggered the terminate.

The finalize method is always the last thing called on the formatter, except when terminate is called for a Bail event. It is passed the following arguments:

The supports_tables method should be true if the formatter supports directly rendering table data from the info facets. This is a newer feature and many older formatters may not support it. When not supported the formatter falls back to rendering detail instead of the table data.

The new_root method is used when constructing a root formatter. The default is to just delegate to the regular new() method, most formatters can ignore this.

  • The number of tests that were planned

  • The number of tests actually seen

  • The number of tests which failed

  • A boolean indicating whether or not the test suite passed

  • A boolean indicating whether or not this call is for a subtest

The new_root method is called when Test2::API::Stack Initializes the root hub for the first time. Most formatters will simply have this call $class->new, which is the default behavior. Some formatters however may want to take extra action during construction of the root formatter, this is where they can do that.

SOURCE

The source code repository for Test2 can be found at https://github.com/Test-More/test-more/.

MAINTAINERS

Chad Granum <exodist@cpan.org>

AUTHORS

Chad Granum <exodist@cpan.org>

COPYRIGHT

Copyright Chad Granum <exodist@cpan.org>.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

See https://dev.perl.org/licenses/