/ 
perl-5.17.10
⭐ Starred 2013
/ Locale::Codes
Security Advisories (18)
CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

Locale::Codes - a distribution of modules to handle locale codes

DESCRIPTION

Locale-Codes is a distribution containing a set of modules. The modules each deal with different types of codes which identify parts of the locale including languages, countries, currency, etc.

Currently, the following modules are included:

Locale::Codes::Country, Locale::Country

This includes support for country codes (such as those listed in ISO-3166) to specify the country.

Because this module was originally distributed as Locale::Country, it is also available under that name.

Locale::Codes::Language, Locale::Language

This includes support for language codes (such as those listed in ISO-639) to specify the language.

Because this module was originally distributed as Locale::Language, it is also available under that name.

Locale::Codes::Currency, Locale::Currency

This includes support for currency codes (such as those listed in ISO-4217) to specify the currency.

Because this module was originally distributed as Locale::Currency, it is also available under that name.

Locale::Codes::Script, Locale::Script

This includes support for script codes (such as those listed in ISO-15924) to specify the script.

Because this module was originally distributed as Locale::Script, it is also available under that name.

Locale::Codes::LangExt

This includes support for language extension codes (such as those listed in the IANA language registry) to specify the language extension.

Locale::Codes::LangVar

This includes support for language variation codes (such as those listed in the IANA language registry) to specify the language variation.

Locale::Codes::LangFam

This includes support for language family codes (such as those listed in ISO 639-5) to specify families of languages.

Each module can support an arbitrary number of code sets, and it it not required that the relationship between these code sets be one-to-one. For example, the Locale::Codes::Country module supports code sets from ISO-3166 and the FIPS 10 standard, and they do not break the world down into exactly the same sets of countries. This does not cause any problem (though converting codes from ISO-3166 to FIPS or back will not work except for countries that are one-to-one).

All data in all of these modules comes directly from the original standards (or as close to direct as possible), so it should be up-to-date at the time of release.

I plan on releasing a new version several times a year to incorporate any changes made in the standards. However, I don't always know about changes that occur, so if any of the standards change, and you want a new release sooner, just email me and I'll get one out.

In addition to the modules above, there are a number of support modules included in the distribution including:

Locale::Codes
Locale::Codes::Constants
Locale::Codes::Country_codes
Locale::Codes::Language_codes
Locale::Codes::Currency_codes
Locale::Codes::Script_codes
Locale::Codes::LangExt_codes
Locale::Codes::LangVar_codes
Locale::Codes::LangFam_codes

These modules are not intended to be used by programmers. They contain functions or data that are used by the modules listed above.

NEW CODE SETS

I'm always open to suggestions for new code sets.

In order for me to add a code set, I want the following criteria to be met:

General-use code set

If a code set is not general use, I'm not likely to spend the time to add and support it.

An official source of data

I require an official (or at least, a NEARLY official) source where I can get the data on a regular basis.

Ideally, I'd only get data from an official source, but sometimes that is not possible. For example the ISO standards are not typically available for free, so I may have to get some of that data from alternate sources that I'm confident are getting their data from the official source. However, I will always be hesitant to accept a non-official source.

As an example, I used to get some country data from the CIA World Factbook. Given the nature of the source, I'm sure they're updating data from the official sources and I consider it "nearly" official. However, even in this case, I found that they were adding codes that were not part of the standard, so I have stopped using them as a source.

There are many 3rd party sites which maintain lists (many of which are actually in a more convenient form than the official sites). Unfortunately, I will reject most of them since I have no feel for how "official" they are.

A free source of the data

Obviously, the data must be free-of-charge. I'm not interested in paying for the data (and I'm not interested in the overhead of having someone else pay for the data for me).

A reliable source of data

The source of data must come from a source that I can reasonably expect to exist for the foreseeable future since I will be extremely reluctant to drop support for a data set once it's included.

I am also reluctant to accept data sent to me by an individual. Although I appreciate the offer, it is simply not practical to consider an individual contribution as a reliable source of data. The source should be an official agency of some sort.

These requirements are open to discussion. If you have a code set you'd like to see added, but which may not meet all of the above requirements, feel free to email me and we'll discuss it. Depending on circumstances, I may be willing to waive some of these criteria.

COMMON ALIASES

As of version 2.00, the modules supported common variants of names.

For example, Locale::Country supports variant names for countries, and a few of the most common ones are included in the data. The country code for "United States" is "us", so:

country2code('United States');
   => "us"

Now the following will also return 'us':

country2code('United States of America');
country2code('USA');

Any number of common aliases may be included in the data, in addition to the names that come directly from the standards. If you have a common alias for a country, language, or any other of the types of codes, let me know and I'll add it, with some restrictions.

For example, the country name "North Korea" never appeared in any of the official sources (instead, it was "Korea, North" or "Korea, Democratic People's Republic of". I would honor a request to add an alias "North Korea" since that's a very common way to specify the country (please don't request this... I've already added it).

On the other hand, a request to add Zaire as an alias for "Congo, The Democratic Republic of" will not be honored. The country's official name is no longer Zaire, so adding it as an alias violates the standard. Zaire was kept as an alias in versions prior to 3.00, but it has been removed. Other aliases (if any) which no longer appear in any standard (and which are not common variations of the name in the standards) have also been removed.

DEPRECATED CODES

Occasionally, a code is deprecated, but it may still be desirable to have access to it.

Although there is no way to see every code that has ever existed and been deprecated (since most codesets do not have that information available), as of version 3.20, every code which has ever been included in these modules can be referenced.

For more information, refer to the documentation on the code2XXX, XXX2code, all_XXX_codes, and all_XXX_names function in the Locale::Codes::API documentation.

SEE ALSO

Locale::Codes::API

The list of functions available in each of the modules listed below. The APIs for each module are exactly identical.

Locale::Codes::Country

Codes for identification of countries.

Locale::Codes::Language

Codes for identification of languages.

Locale::Codes::Script

Codes for identification of scripts.

Locale::Codes::Currency

Codes for identification of currencies and funds.

Locale::Codes::LangExt

Codes for identification of language extensions.

Locale::Codes::LangVar

Codes for identification of language variations.

Locale::Codes::LangFam

Codes for identification of language families.

Locale::Codes::Changes

A history of changes made to this distribution.

AUTHOR

Locale::Country and Locale::Language were originally written by Neil Bowers at the Canon Research Centre Europe (CRE). They maintained the distribution from 1997 to 2001.

Locale::Currency was originally written by Michael Hennecke and was modified by Neil Bowers for inclusion in the distribution.

From 2001 to 2004, maintenance was continued by Neil Bowers. He modified Locale::Currency for inclusion in the distribution. He also added Locale::Constants and Locale::Script.

From 2004-2009, the module was unmaintained.

In 2010, maintenance was taken over by Sullivan Beck (sbeck@cpan.org) with Neil Bower's permission. All problems or comments should be sent there. Alternately, problems can be reported using the perl problem tracker at:

https://rt.cpan.org/Dist/Display.html?Queue=Locale-Codes

COPYRIGHT

Copyright (c) 1997-2001 Canon Research Centre Europe (CRE).
Copyright (c) 2001      Michael Hennecke (Locale::Currency)
Copyright (c) 2001-2010 Neil Bowers
Copyright (c) 2010-2013 Sullivan Beck

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.