/ 
perl-5.17.10
⭐ Starred 2013 / CPAN::Meta::Requirements
Security Advisories (17)
CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

NAME

CPAN::Meta::Requirements - a set of version requirements for a CPAN dist

VERSION

version 2.122

SYNOPSIS

use CPAN::Meta::Requirements;

my $build_requires = CPAN::Meta::Requirements->new;

$build_requires->add_minimum('Library::Foo' => 1.208);

$build_requires->add_minimum('Library::Foo' => 2.602);

$build_requires->add_minimum('Module::Bar'  => 'v1.2.3');

$METAyml->{build_requires} = $build_requires->as_string_hash;

DESCRIPTION

A CPAN::Meta::Requirements object models a set of version constraints like those specified in the META.yml or META.json files in CPAN distributions. It can be built up by adding more and more constraints, and it will reduce them to the simplest representation.

Logically impossible constraints will be identified immediately by thrown exceptions.

METHODS

new

my $req = CPAN::Meta::Requirements->new;

This returns a new CPAN::Meta::Requirements object. It takes an optional hash reference argument. The following keys are supported:

  • <bad_version_hook> -- if provided, when a version cannot be parsed into

    a version object, this code reference will be called with the invalid version string as an argument. It must return a valid version object.

All other keys are ignored.

add_minimum

$req->add_minimum( $module => $version );

This adds a new minimum version requirement. If the new requirement is redundant to the existing specification, this has no effect.

Minimum requirements are inclusive. $version is required, along with any greater version number.

This method returns the requirements object.

add_maximum

$req->add_maximum( $module => $version );

This adds a new maximum version requirement. If the new requirement is redundant to the existing specification, this has no effect.

Maximum requirements are inclusive. No version strictly greater than the given version is allowed.

This method returns the requirements object.

add_exclusion

$req->add_exclusion( $module => $version );

This adds a new excluded version. For example, you might use these three method calls:

$req->add_minimum( $module => '1.00' );
$req->add_maximum( $module => '1.82' );

$req->add_exclusion( $module => '1.75' );

Any version between 1.00 and 1.82 inclusive would be acceptable, except for 1.75.

This method returns the requirements object.

exact_version

$req->exact_version( $module => $version );

This sets the version required for the given module to exactly the given version. No other version would be considered acceptable.

This method returns the requirements object.

add_requirements

$req->add_requirements( $another_req_object );

This method adds all the requirements in the given CPAN::Meta::Requirements object to the requirements object on which it was called. If there are any conflicts, an exception is thrown.

This method returns the requirements object.

accepts_module

my $bool = $req->accepts_modules($module => $version);

Given an module and version, this method returns true if the version specification for the module accepts the provided version. In other words, given:

Module => '>= 1.00, < 2.00'

We will accept 1.00 and 1.75 but not 0.50 or 2.00.

For modules that do not appear in the requirements, this method will return true.

clear_requirement

$req->clear_requirement( $module );

This removes the requirement for a given module from the object.

This method returns the requirements object.

requirements_for_module

$req->requirements_for_module( $module );

This returns a string containing the version requirements for a given module in the format described in CPAN::Meta::Spec or undef if the given module has no requirements. This should only be used for informational purposes such as error messages and should not be interpreted or used for comparison (see "accepts_module" instead.)

required_modules

This method returns a list of all the modules for which requirements have been specified.

clone

$req->clone;

This method returns a clone of the invocant. The clone and the original object can then be changed independent of one another.

is_simple

This method returns true if and only if all requirements are inclusive minimums -- that is, if their string expression is just the version number.

is_finalized

This method returns true if the requirements have been finalized by having the finalize method called on them.

finalize

This method marks the requirements finalized. Subsequent attempts to change the requirements will be fatal, if they would result in a change. If they would not alter the requirements, they have no effect.

If a finalized set of requirements is cloned, the cloned requirements are not also finalized.

as_string_hash

This returns a reference to a hash describing the requirements using the strings in the META.yml specification.

For example after the following program:

my $req = CPAN::Meta::Requirements->new;

$req->add_minimum('CPAN::Meta::Requirements' => 0.102);

$req->add_minimum('Library::Foo' => 1.208);

$req->add_maximum('Library::Foo' => 2.602);

$req->add_minimum('Module::Bar'  => 'v1.2.3');

$req->add_exclusion('Module::Bar'  => 'v1.2.8');

$req->exact_version('Xyzzy'  => '6.01');

my $hashref = $req->as_string_hash;

$hashref would contain:

{
  'CPAN::Meta::Requirements' => '0.102',
  'Library::Foo' => '>= 1.208, <= 2.206',
  'Module::Bar'  => '>= v1.2.3, != v1.2.8',
  'Xyzzy'        => '== 6.01',
}

add_string_requirement

$req->add_string_requirement('Library::Foo' => '>= 1.208, <= 2.206');

This method parses the passed in string and adds the appropriate requirement for the given module. It understands version ranges as described in the "Version Ranges" in CPAN::Meta::Spec. For example:

1.3
>= 1.3
<= 1.3
== 1.3
!= 1.3
> 1.3
< 1.3
>= 1.3, != 1.5, <= 2.0

A version number without an operator is equivalent to specifying a minimum (>=). Extra whitespace is allowed.

from_string_hash

my $req = CPAN::Meta::Requirements->from_string_hash( \%hash );

This is an alternate constructor for a CPAN::Meta::Requirements object. It takes a hash of module names and version requirement strings and returns a new CPAN::Meta::Requirements object.

SUPPORT

Bugs / Feature Requests

Please report any bugs or feature requests through the issue tracker at http://rt.cpan.org/Public/Dist/Display.html?Name=CPAN-Meta-Requirements. You will be notified automatically of any progress on your issue.

Source Code

This is open source software. The code repository is available for public review and contribution under the terms of the license.

https://github.com/dagolden/cpan-meta-requirements

git clone https://github.com/dagolden/cpan-meta-requirements.git

AUTHORS

  • David Golden <dagolden@cpan.org>

  • Ricardo Signes <rjbs@cpan.org>

COPYRIGHT AND LICENSE

This software is copyright (c) 2010 by David Golden and Ricardo Signes.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.