Security Advisories (1)

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

NAME

test-dist-modules.pl - test modules in dist/ against the perl invoked with

SYNOPSIS

# from a checked out clean perl source tree
# test all dist/ modules, abort on first failure
path/to/perl test-dist-modules.pl

# test all dist/ modules, continue on failure
path/to/perl test-dist-modules.pl -c

# test all dist/ modules, and install into path/to/perl's site_perl
path/to/perl test-dist-modules.pl -i

DESCRIPTION

Porting/test-dist-modules.pl is used by the Github workflow to test modules from dist/ against the perl it is invoked with, within a git clone of a development perl. This clone must be a clean clone, ie. as with git clean -dxf .

That perl should have any prerequisites needed by those modules installed, at this point this includes sufficiently recent versions of:

ExtUtils::MakeMaker
Perl::OSType
Scalar::Util
Socket
version

test-dist-modules.pl will always test Devel::PPPort first and then use that when testing the other modules, even if invoked with a distribution list.

INVOKING test-dist-modules.pl

By default test-dist-modules.pl will test each directory in dist/, but you can test specific distributions by supplying them on the command-line:

path/to/perl test-dist-modules.pl threads

which will test Devel-PPPort and threads.

Options:

-i
-install

Install the modules to the invoking perl's site_perl. This may require privileges such as running as root.
-c
-continue

Continue testing modules even if one fails.
-s
-separate

Install to a temp tree instead of to the invoking perl's site_perl. This is now the default.
-h
-help

Produce a help message.

To install less, copy and paste the appropriate command in to your terminal.

cpanm

cpanm less

CPAN shell

perl -MCPAN -e shell
install less

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

INVOKING test-dist-modules.pl

Module Install Instructions

Keyboard Shortcuts