Security Advisories (18)

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

DistGen - Creates simple distributions for testing.

SYNOPSIS

use DistGen;

# create distribution and prepare to test
my $dist = DistGen->new(name => 'Foo::Bar');
$dist->chdir_in;

# change distribution files
$dist->add_file('t/some_test.t', $contents);
$dist->change_file('MANIFEST.SKIP', $new_contents);
$dist->remove_file('t/some_test.t');
$dist->regen;

# undo changes and clean up extraneous files
$dist->revert;
$dist->clean;

# exercise the command-line interface
$dist->run_build_pl();
$dist->run_build('test');

# start over as a new distribution
$dist->reset( name => 'Foo::Bar', xs => 1 );
$dist->chdir_in;

USAGE

A DistGen object manages a set of files in a distribution directory.

The new() constructor initializes the object and creates an empty directory for the distribution. It does not create files or chdir into the directory. The reset() method re-initializes the object in a new directory with new parameters. It also does not create files or change the current directory.

Some methods only define the target state of the distribution. They do not make any changes to the filesystem:

add_file
change_file
change_build_pl
remove_file
revert

Other methods then change the filesystem to match the target state of the distribution:

clean
regen
remove

Other methods are provided for a convenience during testing. The most important is the one to enter the distribution directory:

chdir_in

Additional methods portably encapsulate running Build.PL and Build:

run_build_pl
run_build

API

Constructors

new()

Create a new object and an empty directory to hold the distribution's files. If no dir option is provided, it defaults to MBTest->tmpdir, which sets a different temp directory for Perl core testing and CPAN testing.

The new method does not write any files -- see "regen()" below.

my $dist = DistGen->new(
  name        => 'Foo::Bar',
  version     => '0.01',
  license     => 'perl',
  dir         => MBTest->tmpdir,
  xs          => 1,
  no_manifest => 0,
);

The parameters are as follows.

name

The name of the module this distribution represents. The default is 'Simple'. This should be a "Foo::Bar" (module) name, not a "Foo-Bar" dist name.

version

The version string that will be set. (E.g. our $VERSION = 0.01) Note -- to put this value in quotes, add those to the string.

version => q{'0.01_01'}

license

The license string that will be set in Build.PL. Defaults to 'perl'.

dir

The (parent) directory in which to create the distribution directory. The distribution will be created under this according to distdir parameter below. Defaults to a temporary directory.

$dist = DistGen->new( dir => '/tmp/MB-test' );
$dist->regen;

# distribution files have been created in /tmp/MB-test/Simple

distdir

The name of the distribution directory to create. Defaults to the dist form of name, e.g. 'Foo-Bar' if name is 'Foo::Bar'.

xs

If true, generates an XS based module.

no_manifest

If true, regen() will not create a MANIFEST file.

The following files are added as part of the default distribution:

Build.PL
lib/Simple.pm # based on name parameter
t/basic.t

If an XS module is generated, Simple.pm and basic.t are different and the following files are also added:

typemap
lib/Simple.xs # based on name parameter

reset()

The reset method re-initializes the object as if it were generated from a fresh call to new. It takes the same optional parameters as new.

$dist->reset( name => 'Foo::Bar', xs => 0 );

Adding and editing files

Note that $filename should always be specified with unix-style paths, and are relative to the distribution root directory, e.g. lib/Module.pm.

No changes are made to the filesystem until the distribution is regenerated.

add_file()

Add a $filename containing $content to the distribution.

$dist->add_file( $filename, $content );

change_file()

Changes the contents of $filename to $content. No action is performed until the distribution is regenerated.

$dist->change_file( $filename, $content );

change_build_pl()

A wrapper around change_file specifically for setting Build.PL. Instead of file $content, it takes a hash-ref of Module::Build constructor arguments:

$dist->change_build_pl(
  {
    module_name         => $dist->name,
    dist_version        => '3.14159265',
    license             => 'perl',
    create_readme       => 1,
  }
);

get_file

Retrieves the target contents of $filename.

$content = $dist->get_file( $filename );

remove_file()

Removes $filename from the distribution.

$dist->remove_file( $filename );

revert()

Returns the object to its initial state, or given a $filename it returns that file to its initial state if it is one of the built-in files.

$dist->revert;
$dist->revert($filename);

Changing the distribution directory

These methods immediately affect the filesystem.

regen()

Regenerate all missing or changed files. Also deletes any files flagged for removal with remove_file().

$dist->regen(clean => 1);

If the optional clean argument is given, it also calls clean. These can also be chained like this, instead:

$dist->clean->regen;

clean()

Removes any files that are not part of the distribution.

$dist->clean;

remove()

Changes back to the original directory and removes the distribution directory (but not the temporary directory set during new()).

$dist = DistGen->new->chdir->regen;
# ... do some testing ...

$dist->remove->chdir_in->regen;
# ... do more testing ...

This is like a more aggressive form of clean. Generally, calling clean and regen should be sufficient.

Changing directories

chdir_in

Change directory into the dist root.

$dist->chdir_in;

chdir_original

Returns to whatever directory you were in before chdir_in() (regardless of the cwd.)

$dist->chdir_original;

Command-line helpers

These use Module::Build->run_perl_script() to ensure that Build.PL or Build are run in a separate process using the current perl interpreter. (Module::Build is loaded on demand). They also ensure appropriate naming for operating systems that require a suffix for Build.

run_build_pl

Runs Build.PL using the current perl interpreter. Any arguments are passed on the command line.

$dist->run_build_pl('--quiet');

run_build

Runs Build using the current perl interpreter. Any arguments are passed on the command line.

$dist->run_build(qw/test --verbose/);

Properties

name()

Returns the name of the distribution.

$dist->name: # e.g. Foo::Bar

dirname()

Returns the directory where the distribution is created.

$dist->dirname; # e.g. t/_tmp/Simple

Functions

undent()

Removes leading whitespace from a multi-line string according to the amount of whitespace on the first line.

my $string = undent("  foo(\n    bar => 'baz'\n  )");
$string eq "foo(
  bar => 'baz'
)";

To install utf8, copy and paste the appropriate command in to your terminal.

cpanm

cpanm utf8

CPAN shell

perl -MCPAN -e shell
install utf8

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)