Security Advisories (5)

CVE-2023-47038 (2023-10-30)

A crafted regular expression when compiled by perl 5.30.0 through 5.38.0 can cause a one attacker controlled byte buffer overflow in a heap allocated buffer

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

NAME

Test2::EventFacet::Trace - Debug information for events

DESCRIPTION

The Test2::API::Context object, as well as all Test2::Event types need to have access to information about where they were created. This object represents that information.

SYNOPSIS

use Test2::EventFacet::Trace;

my $trace = Test2::EventFacet::Trace->new(
    frame => [$package, $file, $line, $subname],
);

$string = $trace->{details}

$string = $trace->details()

Used as a custom trace message that will be used INSTEAD of at <FILE> line <LINE> when calling $trace->debug.

$frame = $trace->{frame}

$frame = $trace->frame()

Get the call frame arrayref.

[$package, $file, $line, $subname]

$int = $trace->{pid}

$int = $trace->pid()

The process ID in which the event was generated.

$int = $trace->{tid}

$int = $trace->tid()

The thread ID in which the event was generated.

$id = $trace->{cid}

$id = $trace->cid()

The ID of the context that was used to create the event.

$uuid = $trace->{uuid}

$uuid = $trace->uuid()

The UUID of the context that was used to create the event. (If uuid tagging was enabled)

($pkg, $file, $line, $subname) = $trace->call

Get the basic call info as a list.

@caller = $trace->full_call

Get the full caller(N) results.

$warning_bits = $trace->warning_bits

Get index 9 from the full caller info. This is the warnings_bits field.

The value of this is not portable across perl versions or even processes. However it can be used in the process that generated it to reproduce the warnings settings in a new scope.

eval <<EOT;
BEGIN { ${^WARNING_BITS} = $trace->warning_bits };
... context's warning settings apply here ...
EOT

These fields were not always set properly by tools. These are MOSTLY deprecated by the Test2::EventFacet::Hub facets. These fields are not required, and may only reflect the hub that was current when the event was created, which is not necessarily the same as the hub the event was sent through.

Some tools did do a good job setting these to the correct hub, but you cannot always rely on that. Use the 'hubs' facet list instead.

$hid = $trace->{hid}
$hid = $trace->hid(): The ID of the hub that was current when the event was created.
$huuid = $trace->{huuid}
$huuid = $trace->huuid(): The UUID of the hub that was current when the event was created. (If uuid tagging was enabled).
$int = $trace->{nested}
$int = $trace->nested(): How deeply nested the event is.
$bool = $trace->{buffered}
$bool = $trace->buffered(): True if the event was buffered and not sent to the formatter independent of a parent (This should never be set when nested is 0 or undef).

METHODS

Note: All facet frames are also methods.

$trace->set_detail($msg)

$msg = $trace->detail

Used to get/set a custom trace message that will be used INSTEAD of at <FILE> line <LINE> when calling $trace->debug.

detail() is an alias to the details facet field for backwards compatibility.

$str = $trace->debug

Typically returns the string at <FILE> line <LINE>. If detail is set then its value will be returned instead.

$trace->alert($MESSAGE)

This issues a warning at the frame (filename and line number where errors should be reported).

$trace->throw($MESSAGE)

This throws an exception at the frame (filename and line number where errors should be reported).

($package, $file, $line, $subname) = $trace->call()

Get the caller details for the debug-info. This is where errors should be reported.

$pkg = $trace->package

Get the debug-info package.

$file = $trace->file

Get the debug-info filename.

$line = $trace->line

Get the debug-info line number.

$subname = $trace->subname

Get the debug-info subroutine name.

$sig = trace->signature

Get a signature string that identifies this trace. This is used to check if multiple events are related. The signature includes pid, tid, file, line number, and the cid.

SOURCE

The source code repository for Test2 can be found at http://github.com/Test-More/test-more/.

MAINTAINERS

Chad Granum <exodist@cpan.org>

AUTHORS

Chad Granum <exodist@cpan.org>

COPYRIGHT

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

See http://dev.perl.org/licenses/

To install less, copy and paste the appropriate command in to your terminal.

cpanm

cpanm less

CPAN shell

perl -MCPAN -e shell
install less

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

DESCRIPTION

SYNOPSIS

FACET FIELDS

DISCOURAGED HUB RELATED FIELDS

METHODS

SOURCE

MAINTAINERS

AUTHORS

COPYRIGHT

Module Install Instructions

Keyboard Shortcuts