Security Advisories (27)

CVE-1999-1386 (1999-12-31)

Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.

CVE-1999-0462 (1999-03-17)

suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk.

http://www.securityfocus.com/bid/339

CVE-2000-0703 (2000-10-20)

suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2010-1158 (2010-04-20)

Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.

CVE-2008-1927 (2008-04-24)

Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.

CVE-2005-3962 (2005-12-01)

Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.

CVE-2007-5116 (2007-11-07)

Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2009-3626 (2009-10-29)

Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

NAME

OS2::REXX - access to DLLs with REXX calling convention and REXX runtime.

NOTE

By default, the REXX variable pool is not available, neither to Perl, nor to external REXX functions. To enable it, you need to put your code inside REXX_call function. REXX functions which do not use variables may be usable even without REXX_call though.

SYNOPSIS

use OS2::REXX;
$ydb = load OS2::REXX "ydbautil" or die "Cannot load: $!";
@pid = $ydb->RxProcId();
REXX_call {
  tie $s, OS2::REXX, "TEST";
  $s = 1;
};

DESCRIPTION

Load REXX DLL

$dll = load OS2::REXX NAME [, WHERE];

NAME is DLL name, without path and extension.

Directories are searched WHERE first (list of dirs), then environment paths PERL5REXX, PERLREXX or, as last resort, PATH.

The DLL is not unloaded when the variable dies.

Returns DLL object reference, or undef on failure.

Define function prefix:

$dll->prefix(NAME);

Define the prefix of external functions, prepended to the function names used within your program, when looking for the entries in the DLL.

Example

$dll = load OS2::REXX "RexxBase";
$dll->prefix("RexxBase_");
$dll->Init();

is the same as

$dll = load OS2::REXX "RexxBase";
$dll->RexxBase_Init();

Define queue:

$dll->queue(NAME);

Define the name of the REXX queue passed to all external functions of this module. Defaults to "SESSION".

Check for functions (optional):

BOOL = $dll->find(NAME [, NAME [, ...]]);

Returns true if all functions are available.

Call external REXX function:

$dll->function(arguments);

Returns the return string if the return code is 0, else undef. Dies with error message if the function is not available.

Accessing REXX-runtime

While calling functions with REXX signature does not require the presence of the system REXX DLL, there are some actions which require REXX-runtime present. Among them is the access to REXX variables by name.

One enables REXX runtime by bracketing your code by

REXX_call BLOCK;

(trailing semicolon required!) or

REXX_call \&subroutine_name;

Inside such a call one has access to REXX variables (see below), and to

REXX_eval EXPR;
REXX_eval_with EXPR, 
	subroutine_name_in_REXX => \&Perl_subroutine

Bind scalar variable to REXX variable:

tie $var, OS2::REXX, "NAME";

Bind array variable to REXX stem variable:

tie @var, OS2::REXX, "NAME.";

Only scalar operations work so far. No array assignments, no array operations, ... FORGET IT.

Bind hash array variable to REXX stem variable:

tie %var, OS2::REXX, "NAME.";

To access all visible REXX variables via hash array, bind to "";

No array assignments. No array operations, other than hash array operations. Just like the *dbm based implementations.

For the usual REXX stem variables, append a "." to the name, as shown above. If the hash key is part of the stem name, for example if you bind to "", you cannot use lower case in the stem part of the key and it is subject to character set restrictions.

Erase individual REXX variables (bound or not):

OS2::REXX::drop("NAME" [, "NAME" [, ...]]);

Erase REXX variables with given stem (bound or not):

OS2::REXX::dropall("STEM" [, "STEM" [, ...]]);

NOTES

Note that while function and variable names are case insensitive in the REXX language, function names exported by a DLL and the REXX variables (as seen by Perl through the chosen API) are all case sensitive!

Most REXX DLLs export function names all upper case, but there are a few which export mixed case names (such as RxExtras). When trying to find the entry point, both exact case and all upper case are searched. If the DLL exports "RxNap", you have to specify the exact case, if it exports "RXOPEN", you can use any case.

To avoid interfering with subroutine names defined by Perl (DESTROY) or used within the REXX module (prefix, find), it is best to use mixed case and to avoid lowercase only or uppercase only names when calling REXX functions. Be consistent. The same function written in different ways results in different Perl stubs.

There is no REXX interpolation on variable names, so the REXX variable name TEST.ONE is not affected by some other REXX variable ONE. And it is not the same variable as TEST.one!

You cannot call REXX functions which are not exported by the DLL. While most DLLs export all their functions, some, like RxFTP, export only "...LoadFuncs", which registers the functions within REXX only.

You cannot call 16-bit DLLs. The few interesting ones I found (FTP,NETB,APPC) do not export their functions.

I do not know whether the REXX API is reentrant with respect to exceptions (signals) when the REXX top-level exception handler is overridden. So unless you know better than I do, do not access REXX variables (probably tied to Perl variables) or call REXX functions which access REXX queues or REXX variables in signal handlers.

See t/rx*.t for examples.

AUTHOR

Andreas Kaiser ak@ananke.s.bawue.de, with additions by Ilya Zakharevich ilya@math.ohio-state.edu.

To install Env, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Env

CPAN shell

perl -MCPAN -e shell
install Env

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)