/ 
perl-5.17.10
River stage five • 12010 direct dependents • 33600 total dependents
⭐ Starred 2013 GitHub stars
/ Module::Build::Authoring
Security Advisories (18)
CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

Module::Build::Authoring - Authoring Module::Build modules

DESCRIPTION

When creating a Build.PL script for a module, something like the following code will typically be used:

use Module::Build;
my $build = Module::Build->new
  (
   module_name => 'Foo::Bar',
   license  => 'perl',
   requires => {
                'perl'          => '5.6.1',
                'Some::Module'  => '1.23',
                'Other::Module' => '>= 1.2, != 1.5, < 2.0',
               },
  );
$build->create_build_script;

A simple module could get away with something as short as this for its Build.PL script:

use Module::Build;
Module::Build->new(
  module_name => 'Foo::Bar',
  license     => 'perl',
)->create_build_script;

The model used by Module::Build is a lot like the MakeMaker metaphor, with the following correspondences:

 In Module::Build                 In ExtUtils::MakeMaker
---------------------------      ------------------------
 Build.PL (initial script)        Makefile.PL (initial script)
 Build (a short perl script)      Makefile (a long Makefile)
 _build/ (saved state info)       various config text in the Makefile

Any customization can be done simply by subclassing Module::Build and adding a method called (for example) ACTION_test, overriding the default 'test' action. You could also add a method called ACTION_whatever, and then you could perform the action Build whatever.

For information on providing compatibility with ExtUtils::MakeMaker, see Module::Build::Compat and http://www.makemaker.org/wiki/index.cgi?ModuleBuildConversionGuide.

STRUCTURE

Module::Build creates a class hierarchy conducive to customization. Here is the parent-child class hierarchy in classy ASCII art:

/--------------------\
|   Your::Parent     |  (If you subclass Module::Build)
\--------------------/
         |
         |
/--------------------\  (Doesn't define any functionality
|   Module::Build    |   of its own - just figures out what
\--------------------/   other modules to load.)
         |
         |
/-----------------------------------\  (Some values of $^O may
|   Module::Build::Platform::$^O    |   define specialized functionality.
\-----------------------------------/   Otherwise it's ...::Default, a
         |                              pass-through class.)
         |
/--------------------------\
|   Module::Build::Base    |  (Most of the functionality of 
\--------------------------/   Module::Build is defined here.)

SUBCLASSING

Right now, there are two ways to subclass Module::Build. The first way is to create a regular module (in a .pm file) that inherits from Module::Build, and use that module's class instead of using Module::Build directly:

------ in Build.PL: ----------
#!/usr/bin/perl

use lib q(/nonstandard/library/path);
use My::Builder;  # Or whatever you want to call it

my $build = My::Builder->new
  (
   module_name => 'Foo::Bar',  # All the regular args...
   license     => 'perl',
   dist_author => 'A N Other <me@here.net.au>',
   requires    => { Carp => 0 }
  );
$build->create_build_script;

This is relatively straightforward, and is the best way to do things if your My::Builder class contains lots of code. The create_build_script() method will ensure that the current value of @INC (including the /nonstandard/library/path) is propagated to the Build script, so that My::Builder can be found when running build actions. If you find that you need to chdir into a different directories in your subclass methods or actions, be sure to always return to the original directory (available via the base_dir() method) before returning control to the parent class. This is important to avoid data serialization problems.

For very small additions, Module::Build provides a subclass() method that lets you subclass Module::Build more conveniently, without creating a separate file for your module:

------ in Build.PL: ----------
#!/usr/bin/perl

use Module::Build;
my $class = Module::Build->subclass
  (
   class => 'My::Builder',
   code => q{
     sub ACTION_foo {
       print "I'm fooing to death!\n";
     }
   },
  );

my $build = $class->new
  (
   module_name => 'Foo::Bar',  # All the regular args...
   license     => 'perl',
   dist_author => 'A N Other <me@here.net.au>',
   requires    => { Carp => 0 }
  );
$build->create_build_script;

Behind the scenes, this actually does create a .pm file, since the code you provide must persist after Build.PL is run if it is to be very useful.

See also the documentation for the "subclass()" in Module::Build::API method.

PREREQUISITES

Types of prerequisites

To specify what versions of other modules are used by this distribution, several types of prerequisites can be defined with the following parameters:

configure_requires

Items that must be installed before configuring this distribution (i.e. before running the Build.PL script). This might be a specific minimum version of Module::Build or any other module the Build.PL needs in order to do its stuff. Clients like CPAN.pm or CPANPLUS will be expected to pick configure_requires out of the META.yml file and install these items before running the Build.PL.

If no configure_requires is specified, the current version of Module::Build is automatically added to configure_requires.

build_requires

Items that are necessary for building and testing this distribution, but aren't necessary after installation. This can help users who only want to install these items temporarily. It also helps reduce the size of the CPAN dependency graph if everything isn't smooshed into requires.

requires

Items that are necessary for basic functioning.

recommends

Items that are recommended for enhanced functionality, but there are ways to use this distribution without having them installed. You might also think of this as "can use" or "is aware of" or "changes behavior in the presence of".

conflicts

Items that can cause problems with this distribution when installed. This is pretty rare.

Format of prerequisites

The prerequisites are given in a hash reference, where the keys are the module names and the values are version specifiers:

requires => {
             Foo::Module => '2.4',
             Bar::Module => 0,
             Ken::Module => '>= 1.2, != 1.5, < 2.0',
             perl => '5.6.0'
            },

The above four version specifiers have different effects. The value '2.4' means that at least version 2.4 of Foo::Module must be installed. The value 0 means that any version of Bar::Module is acceptable, even if Bar::Module doesn't define a version. The more verbose value '>= 1.2, != 1.5, < 2.0' means that Ken::Module's version must be at least 1.2, less than 2.0, and not equal to 1.5. The list of criteria is separated by commas, and all criteria must be satisfied.

A special perl entry lets you specify the versions of the Perl interpreter that are supported by your module. The same version dependency-checking semantics are available, except that we also understand perl's new double-dotted version numbers.

XS Extensions

Modules which need to compile XS code should list ExtUtils::CBuilder as a build_requires element.

SAVING CONFIGURATION INFORMATION

Module::Build provides a very convenient way to save configuration information that your installed modules (or your regression tests) can access. If your Build process calls the feature() or config_data() methods, then a Foo::Bar::ConfigData module will automatically be created for you, where Foo::Bar is the module_name parameter as passed to new(). This module provides access to the data saved by these methods, and a way to update the values. There is also a utility script called config_data distributed with Module::Build that provides a command line interface to this same functionality. See also the generated Foo::Bar::ConfigData documentation, and the config_data script's documentation, for more information.

STARTING MODULE DEVELOPMENT

When starting development on a new module, it's rarely worth your time to create a tree of all the files by hand. Some automatic module-creators are available: the oldest is h2xs, which has shipped with perl itself for a long time. Its name reflects the fact that modules were originally conceived of as a way to wrap up a C library (thus the h part) into perl extensions (thus the xs part).

These days, h2xs has largely been superseded by modules like ExtUtils::ModuleMaker, and Module::Starter. They have varying degrees of support for Module::Build.

AUTOMATION

One advantage of Module::Build is that since it's implemented as Perl methods, you can invoke these methods directly if you want to install a module non-interactively. For instance, the following Perl script will invoke the entire build/install procedure:

my $build = Module::Build->new(module_name => 'MyModule');
$build->dispatch('build');
$build->dispatch('test');
$build->dispatch('install');

If any of these steps encounters an error, it will throw a fatal exception.

You can also pass arguments as part of the build process:

my $build = Module::Build->new(module_name => 'MyModule');
$build->dispatch('build');
$build->dispatch('test', verbose => 1);
$build->dispatch('install', sitelib => '/my/secret/place/');

Building and installing modules in this way skips creating the Build script.

MIGRATION

Note that if you want to provide both a Makefile.PL and a Build.PL for your distribution, you probably want to add the following to WriteMakefile in your Makefile.PL so that MakeMaker doesn't try to run your Build.PL as a normal .PL file:

PL_FILES => {},

You may also be interested in looking at the Module::Build::Compat module, which can automatically create various kinds of Makefile.PL compatibility layers.

AUTHOR

Ken Williams <kwilliams@cpan.org>

Development questions, bug reports, and patches should be sent to the Module-Build mailing list at <module-build@perl.org>.

Bug reports are also welcome at <http://rt.cpan.org/NoAuth/Bugs.html?Dist=Module-Build>.

The latest development version is available from the Git repository at <https://github.com/Perl-Toolchain-Gang/Module-Build>

SEE ALSO

perl(1), Module::Build(3), Module::Build::API(3), Module::Build::Cookbook(3), ExtUtils::MakeMaker(3), YAML(3)

META.yml Specification: CPAN::META::Spec

http://www.dsmit.com/cons/

http://search.cpan.org/dist/PerlBuildSystem/