/ 
perl-5.17.10
⭐ Starred 2013
/ Unicode::Collate::Locale
Security Advisories (17)
CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

NAME

Unicode::Collate::Locale - Linguistic tailoring for DUCET via Unicode::Collate

SYNOPSIS

use Unicode::Collate::Locale;

#construct
$Collator = Unicode::Collate::Locale->
    new(locale => $locale_name, %tailoring);

#sort
@sorted = $Collator->sort(@not_sorted);

#compare
$result = $Collator->cmp($a, $b); # returns 1, 0, or -1.

Note: Strings in @not_sorted, $a and $b are interpreted according to Perl's Unicode support. See perlunicode, perluniintro, perlunitut, perlunifaq, utf8. Otherwise you can use preprocess (cf. Unicode::Collate) or should decode them before.

DESCRIPTION

This module provides linguistic tailoring for it taking advantage of Unicode::Collate.

Constructor

The new method returns a collator object.

A parameter list for the constructor is a hash, which can include a special key locale and its value (case-insensitive) standing for a Unicode base language code (two or three-letter). For example, Unicode::Collate::Locale->new(locale => 'FR') returns a collator tailored for French.

$locale_name may be suffixed with a Unicode script code (four-letter), a Unicode region code, a Unicode language variant code. These codes are case-insensitive, and separated with '_' or '-'. E.g. en_US for English in USA, az_Cyrl for Azerbaijani in the Cyrillic script, es_ES_traditional for Spanish in Spain (Traditional).

If $locale_name is not available, fallback is selected in the following order:

1. language with a variant code
2. language with a script code
3. language with a region code
4. language
5. default

Tailoring tags provided by Unicode::Collate are allowed as long as they are not used for locale support. Esp. the table tag is always untailorable, since it is reserved for DUCET.

However entry is allowed, even if it is used for locale support, to add or override mappings.

E.g. a collator for French, which ignores diacritics and case difference (i.e. level 1), with reversed case ordering and no normalization.

Unicode::Collate::Locale->new(
    level => 1,
    locale => 'fr',
    upper_before_lower => 1,
    normalization => undef
)

Overriding a behavior already tailored by locale is disallowed if such a tailoring is passed to new().

Unicode::Collate::Locale->new(
    locale => 'da',
    upper_before_lower => 0, # causes error as reserved by 'da'
)

However change() inherited from Unicode::Collate allows such a tailoring that is reserved by locale. Examples:

new(locale => 'ca')->change(backwards => undef)
new(locale => 'da')->change(upper_before_lower => 0)
new(locale => 'ja')->change(overrideCJK => undef)

Methods

Unicode::Collate::Locale is a subclass of Unicode::Collate and methods other than new are inherited from Unicode::Collate.

Here is a list of additional methods:

$Collator->getlocale

Returns a language code accepted and used actually on collation. If linguistic tailoring is not provided for a language code you passed (intensionally for some languages, or due to the incomplete implementation), this method returns a string 'default' meaning no special tailoring.

$Collator->locale_version

(Since Unicode::Collate::Locale 0.87) Returns the version number (perhaps /\d\.\d\d/) of the locale, as that of Locale/*.pl.

Note: Locale/*.pl that a collator uses should be identified by a combination of return values from getlocale and locale_version.

A list of tailorable locales

  locale name       description
--------------------------------------------------------------
  af                Afrikaans
  ar                Arabic
  as                Assamese
  az                Azerbaijani (Azeri)
  be                Belarusian
  bg                Bulgarian
  bn                Bengali
  bs                Bosnian
  bs_Cyrl           Bosnian in Cyrillic (tailored as Serbian)
  ca                Catalan
  cs                Czech
  cy                Welsh
  da                Danish
  de__phonebook     German (umlaut as 'ae', 'oe', 'ue')
  ee                Ewe
  eo                Esperanto
  es                Spanish
  es__traditional   Spanish ('ch' and 'll' as a grapheme)
  et                Estonian
  fa                Persian
  fi                Finnish (v and w are primary equal)
  fi__phonebook     Finnish (v and w as separate characters)
  fil               Filipino
  fo                Faroese
  fr                French
  gu                Gujarati
  ha                Hausa
  haw               Hawaiian
  hi                Hindi
  hr                Croatian
  hu                Hungarian
  hy                Armenian
  ig                Igbo
  is                Icelandic
  ja                Japanese [1]
  kk                Kazakh
  kl                Kalaallisut
  kn                Kannada
  ko                Korean [2]
  kok               Konkani
  ln                Lingala
  lt                Lithuanian
  lv                Latvian
  mk                Macedonian
  ml                Malayalam
  mr                Marathi
  mt                Maltese
  nb                Norwegian Bokmal
  nn                Norwegian Nynorsk
  nso               Northern Sotho
  om                Oromo
  or                Oriya
  pa                Punjabi
  pl                Polish
  ro                Romanian
  ru                Russian
  sa                Sanskrit
  se                Northern Sami
  si                Sinhala
  si__dictionary    Sinhala (U+0DA5 = U+0DA2,0DCA,0DA4)
  sk                Slovak
  sl                Slovenian
  sq                Albanian
  sr                Serbian
  sr_Latn           Serbian in Latin (tailored as Croatian)
  sv                Swedish (v and w are primary equal)
  sv__reformed      Swedish (v and w as separate characters)
  ta                Tamil
  te                Telugu
  th                Thai
  tn                Tswana
  to                Tonga
  tr                Turkish
  uk                Ukrainian
  ur                Urdu
  vi                Vietnamese
  wae               Walser
  wo                Wolof
  yo                Yoruba
  zh                Chinese
  zh__big5han       Chinese (ideographs: big5 order)
  zh__gb2312han     Chinese (ideographs: GB-2312 order)
  zh__pinyin        Chinese (ideographs: pinyin order) [3]
  zh__stroke        Chinese (ideographs: stroke order) [3]
  zh__zhuyin        Chinese (ideographs: zhuyin order) [3]
--------------------------------------------------------------

Locales according to the default UCA rules include chr (Cherokee), de (German), en (English), ga (Irish), id (Indonesian), it (Italian), ka (Georgian), ms (Malay), nl (Dutch), pt (Portuguese), st (Southern Sotho), sw (Swahili), xh (Xhosa), zu (Zulu).

Note

[1] ja: Ideographs are sorted in JIS X 0208 order. Fullwidth and halfwidth forms are identical to their regular form. The difference between hiragana and katakana is at the 4th level, the comparison also requires (variable => 'Non-ignorable'), and then katakana_before_hiragana has no effect.

[2] ko: Plenty of ideographs are sorted by their reading. Such an ideograph is primary (level 1) equal to, and secondary (level 2) greater than, the corresponding hangul syllable.

[3] zh__pinyin, zh__stroke and zh__zhuyin: implemented alt='short', where a smaller number of ideographs are tailored.

Note: 'pinyin' is in latin, 'zhuyin' is in bopomofo.

INSTALL

Installation of Unicode::Collate::Locale requires Collate/Locale.pm, Collate/Locale/*.pm, Collate/CJK/*.pm and Collate/allkeys.txt. On building, Unicode::Collate::Locale doesn't require any of data/*.txt, gendata/*, and mklocale. Tests for Unicode::Collate::Locale are named t/loc_*.t.

CAVEAT

tailoring is not maximum

Even if a certain letter is tailored, its equivalent would not always tailored as well as it. For example, even though W is tailored, fullwidth W (U+FF37), W with acute (U+1E82), etc. are not tailored. The result may depend on whether source strings are normalized or not, and whether decomposed or composed. Thus (normalization => undef) is less preferred.

AUTHOR

The Unicode::Collate::Locale module for perl was written by SADAHIRO Tomoyuki, <SADAHIRO@cpan.org>. This module is Copyright(C) 2004-2012, SADAHIRO Tomoyuki. Japan. All rights reserved.

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

SEE ALSO

Unicode Collation Algorithm - UTS #10

http://www.unicode.org/reports/tr10/

The Default Unicode Collation Element Table (DUCET)

http://www.unicode.org/Public/UCA/latest/allkeys.txt

Unicode Locale Data Markup Language (LDML) - UTS #35

http://www.unicode.org/reports/tr35/

CLDR - Unicode Common Locale Data Repository

http://cldr.unicode.org/

Unicode::Collate
Unicode::Normalize