/ 
perl-5.10.1-RC1
/ CPANPLUS::Internals::Source
Security Advisories (23)
CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2011-0761 (2011-05-13)

Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2009-3626 (2009-10-29)

Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

CPANPLUS::Internals::Source

SYNOPSIS

### lazy load author/module trees ###

$cb->_author_tree;
$cb->_module_tree;

DESCRIPTION

CPANPLUS::Internals::Source controls the updating of source files and the parsing of them into usable module/author trees to be used by CPANPLUS.

Functions exist to check if source files are still good to use as well as update them, and then parse them.

The flow looks like this:

$cb->_author_tree || $cb->_module_tree
    $cb->_check_trees
        $cb->__check_uptodate
            $cb->_update_source
        $cb->__update_custom_module_sources 
            $cb->__update_custom_module_source
    $cb->_build_trees
        ### engine methods
        {   $cb->_init_trees;
            $cb->_standard_trees_completed
            $cb->_custom_trees_completed
        }                
        $cb->__create_author_tree
            ### engine methods
            { $cb->_add_author_object }
        $cb->__create_module_tree
            $cb->__create_dslip_tree
            ### engine methods
            { $cb->_add_module_object }
        $cb->__create_custom_module_entries                    

$cb->_dslip_defs

METHODS

$cb->_build_trees( uptodate => BOOL, [use_stored => BOOL, path => $path, verbose => BOOL] )

This method rebuilds the author- and module-trees from source.

It takes the following arguments:

uptodate

Indicates whether any on disk caches are still ok to use.

path

The absolute path to the directory holding the source files.

verbose

A boolean flag indicating whether or not to be verbose.

use_stored

A boolean flag indicating whether or not it is ok to use previously stored trees. Defaults to true.

Returns a boolean indicating success.

$cb->_check_trees( [update_source => BOOL, path => PATH, verbose => BOOL] )

Retrieve source files and return a boolean indicating whether or not the source files are up to date.

Takes several arguments:

update_source

A flag to force re-fetching of the source files, even if they are still up to date.

path

The absolute path to the directory holding the source files.

verbose

A boolean flag indicating whether or not to be verbose.

Will get information from the config file by default.

$cb->__check_uptodate( file => $file, name => $name, [update_source => BOOL, verbose => BOOL] )

__check_uptodate checks if a given source file is still up-to-date and if not, or when update_source is true, will re-fetch the source file.

Takes the following arguments:

file

The source file to check.

name

The internal shortcut name for the source file (used for config lookups).

update_source

Flag to force updating of sourcefiles regardless.

verbose

Boolean to indicate whether to be verbose or not.

Returns a boolean value indicating whether the current files are up to date or not.

$cb->_update_source( name => $name, [path => $path, verbose => BOOL] )

This method does the actual fetching of source files.

It takes the following arguments:

name

The internal shortcut name for the source file (used for config lookups).

path

The full path where to write the files.

verbose

Boolean to indicate whether to be verbose or not.

Returns a boolean to indicate success.

$cb->__create_author_tree([path => $path, uptodate => BOOL, verbose => BOOL])

This method opens a source files and parses its contents into a searchable author-tree or restores a file-cached version of a previous parse, if the sources are uptodate and the file-cache exists.

It takes the following arguments:

uptodate

A flag indicating whether the file-cache is uptodate or not.

path

The absolute path to the directory holding the source files.

verbose

A boolean flag indicating whether or not to be verbose.

Will get information from the config file by default.

Returns a tree on success, false on failure.

$cb->_create_mod_tree([path => $path, uptodate => BOOL, verbose => BOOL])

This method opens a source files and parses its contents into a searchable module-tree or restores a file-cached version of a previous parse, if the sources are uptodate and the file-cache exists.

It takes the following arguments:

uptodate

A flag indicating whether the file-cache is up-to-date or not.

path

The absolute path to the directory holding the source files.

verbose

A boolean flag indicating whether or not to be verbose.

Will get information from the config file by default.

Returns a tree on success, false on failure.

$cb->__create_dslip_tree([path => $path, uptodate => BOOL, verbose => BOOL])

This method opens a source files and parses its contents into a searchable dslip-tree or restores a file-cached version of a previous parse, if the sources are uptodate and the file-cache exists.

It takes the following arguments:

uptodate

A flag indicating whether the file-cache is uptodate or not.

path

The absolute path to the directory holding the source files.

verbose

A boolean flag indicating whether or not to be verbose.

Will get information from the config file by default.

Returns a tree on success, false on failure.

$cb->_dslip_defs ()

This function returns the definition structure (ARRAYREF) of the dslip tree.

$file = $cb->_add_custom_module_source( uri => URI, [verbose => BOOL] );

Adds a custom source index and updates it based on the provided URI.

Returns the full path to the index file on success or false on failure.

$index = $cb->__custom_module_source_index_file( uri => $uri );

Returns the full path to the encoded index file for $uri, as used by all custom module source routines.

$file = $cb->_remove_custom_module_source( uri => URI, [verbose => BOOL] );

Removes a custom index file based on the URI provided.

Returns the full path to the index file on success or false on failure.

%files = $cb->__list_custom_module_sources

This method scans the 'custom-sources' directory in your base directory for additional sources to include in your module tree.

Returns a list of key value pairs as follows:

/full/path/to/source/file%3Fencoded => http://decoded/mirror/path

$bool = $cb->__update_custom_module_sources( [verbose => BOOL] );

Attempts to update all the index files to your custom module sources.

If the index is missing, and it's a file:// uri, it will generate a new local index for you.

Return true on success, false on failure.

$ok = $cb->__update_custom_module_source

Attempts to update all the index files to your custom module sources.

If the index is missing, and it's a file:// uri, it will generate a new local index for you.

Return true on success, false on failure.

$bool = $cb->__write_custom_module_index( path => /path/to/packages, [to => /path/to/index/file, verbose => BOOL] )

Scans the path you provided for packages and writes an index with all the available packages to $path/packages.txt. If you'd like the index to be written to a different file, provide the to argument.

Returns true on success and false on failure.

$bool = $cb->__create_custom_module_entries( [verbose => BOOL] )

Creates entries in the module tree based upon the files as returned by __list_custom_module_sources.

Returns true on success, false on failure.