/ 
perl-5.12.5
River stage five • 12505 direct dependents • 35156 total dependents
⭐ Starred 2013 GitHub stars
/ ExtUtils::XSSymSet
Security Advisories (21)
CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

ExtUtils::XSSymSet - keep sets of symbol names palatable to the VMS linker

SYNOPSIS

use ExtUtils::XSSymSet;

$set = new ExtUtils::XSSymSet;
while ($sym = make_symbol()) { $set->addsym($sym); }
foreach $safesym ($set->all_trimmed) {
  print "Processing $safesym (derived from ",$self->get_orig($safesym),")\n";
  do_stuff($safesym);
}

$safesym = ExtUtils::XSSymSet->trimsym($onesym);

DESCRIPTION

Since the VMS linker distinguishes symbols based only on the first 31 characters of their names, it is occasionally necessary to shorten symbol names in order to avoid collisions. (This is especially true of names generated by xsubpp, since prefixes generated by nested package names can become quite long.) ExtUtils::XSSymSet provides functions to shorten names in a consistent fashion, and to track a set of names to insure that each is unique. While designed with xsubpp in mind, it may be used with any set of strings.

This package supplies the following functions, all of which should be called as methods.

new([$maxlen[,$silent]])

Creates an empty ExtUtils::XSSymset set of symbols. This function may be called as a static method or via an existing object. If $maxlen or $silent are specified, they are used as the defaults for maximum name length and warning behavior in future calls to addsym() or trimsym() via this object.

addsym($name[,$maxlen[,$silent]])

Creates a symbol name from $name, using the methods described under trimsym(), which is unique in this set of symbols, and returns the new name. $name and its resultant are added to the set, and any future calls to addsym() specifying the same $name will return the same result, regardless of the value of $maxlen specified. Unless $silent is true, warnings are output if $name had to be trimmed or changed in order to avoid collision with an existing symbol name. $maxlen and $silent default to the values specified when this set of symbols was created. This method must be called via an existing object.

trimsym($name[,$maxlen[,$silent]])

Creates a symbol name $maxlen or fewer characters long from $name and returns it. If $name is too long, it first tries to shorten it by removing duplicate characters, then by periodically removing non-underscore characters, and finally, if necessary, by periodically removing characters of any type. $maxlen defaults to 31. Unless $silent is true, a warning is output if $name is altered in any way. This function may be called either as a static method or via an existing object, but in the latter case no check is made to insure that the resulting name is unique in the set of symbols.

delsym($name)

Removes $name from the set of symbols, where $name is the original symbol name passed previously to addsym(). If $name existed in the set of symbols, returns its "trimmed" equivalent, otherwise returns undef. This method must be called via an existing object.

get_orig($trimmed)

Returns the original name which was trimmed to $trimmed by a previous call to addsym(), or undef if $trimmed does not correspond to a member of this set of symbols. This method must be called via an existing object.

get_trimmed($name)

Returns the trimmed name which was generated from $name by a previous call to addsym(), or undef if $name is not a member of this set of symbols. This method must be called via an existing object.

all_orig()

Returns a list containing all of the original symbol names from this set.

all_trimmed()

Returns a list containing all of the trimmed symbol names from this set.

AUTHOR

Charles Bailey <bailey@newman.upenn.edu>

REVISION

Last revised 14-Feb-1997, for Perl 5.004.