Security Advisories (4)
CVE-2026-57432 (2026-07-13)

Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of bounds. A template derived from untrusted input can read heap memory past the buffer and return it to the caller.

CVE-2026-8376 (2026-05-25)

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

CVE-2026-13221 (2026-07-13)

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.

CVE-2026-4176 (2026-03-29)

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

NAME

Porting::updateAUTHORS - Library to automatically update AUTHORS and .mailmap based on commit data.

SYNOPSIS

use Porting::updateAUTHORS;

my $updater= Porting::updateAUTHORS->new(
    authors_file => "AUTHORS",
    mailmap_file => ".mailmap",
    exclude_file => "Porting/exclude_contrib.txt",
);
$updater->read_and_update();

DESCRIPTION

This the brain of the Porting/updateAUTHORS.pl script. It is expected to be used from that script and by that script. Most features and options are documented in the Porting/updateAUTHORS.pl and are not explicitly documented here, read the Porting/updateAUTHORS.pl manpage for more details.

METHODS

Porting::updateAUTHORS uses OO as way of managing its internal state. This documents the public methods it exposes.

add_new_mailmap_entries()

If any additions were identified while reading the commits this will inject them into the mailmap_hash so they can be written out. Returns a count of additions found.

check_fix_mailmap_hash()

Analyzes the data contained the in the .mailmap file and applies any automated fixes which are required and which it can automatically perform. Returns a hash of adjusted entries and a hash with additional metadata about the mailmap entries.

new(%opts)

Create a new object. Required parameters are

authors_file
mailmap_file
exclude_file

Other supported parameters are as follows:

verbose
commit_range

this list is not exhaustive. See the code implementing the main() function in Porting/updateAUTHORS.pl for an exhaustive list.

parse_orig_mailmap_hash()

Takes a mailmap_hash and parses it and returns it as an array of array records with the contents:

[ $preferred_name, $preferred_email,
  $other_name, $other_email,
  $line_num ]
read_and_update()

Wraps the other functions in this library and implements the logic and intent of this tool. Takes two arguments, the authors file name, and the mailmap file name. Returns nothing but may modify the AUTHORS file or the .mailmap file. Requires that both files are editable.

read_commit_log()

Read the commit log specified by the property "commit_range" and find any new names it contains.

Normally used via read_and_update and not called directly.

read_authors_file()

Read the AUTHORS file into the object, and return data about it.

Normally used via read_and_update and not called directly.

read_mailmap_file()

Read the .mailmap file into the object and return data about it.

Normally used via read_and_update and not called directly.

read_exclusion_file()

Read the exclusion file into the object and return data about it.

Normally used via read_and_update and not called directly.

update_authors_file()

Write out an updated AUTHORS file atomically if it has changed, returns 0 if the file was actually updated, 1 if it was not.

Normally used via read_and_update and not called directly.

update_mailmap_file()

Write out an updated .mailmap file atomically if it has changed, returns 0 if the file was actually updated, 1 if it was not.

Normally used via read_and_update and not called directly.

update_exclusion_file()

Write out an updated exclusion file atomically if it has changed, returns 0 if the file was actually update, 1 if it was not.

Normally used via read_and_update and not called directly.

TODO

More documentation and testing.

SEE ALSO

Porting/checkAUTHORS.pl

AUTHOR

Yves Orton <demerphq@gmail.com>