Security Advisories (19)

CVE-2016-6185 (2016-08-02)

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6798 (2018-04-17)

An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.

CVE-2018-6797 (2018-04-17)

An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2017-12883 (2017-09-19)

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.

CVE-2017-12837 (2017-09-19)

Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

NAME

ExtUtils::CBuilder - Compile and link C code for Perl modules

SYNOPSIS

use ExtUtils::CBuilder;

my $b = ExtUtils::CBuilder->new(%options);
$obj_file = $b->compile(source => 'MyModule.c');
$lib_file = $b->link(objects => $obj_file);

DESCRIPTION

This module can build the C portions of Perl modules by invoking the appropriate compilers and linkers in a cross-platform manner. It was motivated by the Module::Build project, but may be useful for other purposes as well. However, it is not intended as a general cross-platform interface to all your C building needs. That would have been a much more ambitious goal!

METHODS

new

Returns a new ExtUtils::CBuilder object. A config parameter lets you override Config.pm settings for all operations performed by the object, as in the following example:

# Use a different compiler than Config.pm says
my $b = ExtUtils::CBuilder->new( config =>
                                 { ld => 'gcc' } );

A quiet parameter tells CBuilder to not print its system() commands before executing them:

# Be quieter than normal
my $b = ExtUtils::CBuilder->new( quiet => 1 );

have_compiler

Returns true if the current system has a working C compiler and linker, false otherwise. To determine this, we actually compile and link a sample C library. The sample will be compiled in the system tempdir or, if that fails for some reason, in the current directory.

have_cplusplus

Just like have_compiler but for C++ instead of C.

compile

Compiles a C source file and produces an object file. The name of the object file is returned. The source file is specified in a source parameter, which is required; the other parameters listed below are optional.

object_file: Specifies the name of the output file to create. Otherwise the object_file() method will be consulted, passing it the name of the source file.
include_dirs: Specifies any additional directories in which to search for header files. May be given as a string indicating a single directory, or as a list reference indicating multiple directories.
extra_compiler_flags: Specifies any additional arguments to pass to the compiler. Should be given as a list reference containing the arguments individually, or if this is not possible, as a string containing all the arguments together.
C++: Specifies that the source file is a C++ source file and sets appropriate compiler flags

The operation of this method is also affected by the archlibexp, cccdlflags, ccflags, optimize, and cc entries in Config.pm.

link

Invokes the linker to produce a library file from object files. In scalar context, the name of the library file is returned. In list context, the library file and any temporary files created are returned. A required objects parameter contains the name of the object files to process, either in a string (for one object file) or list reference (for one or more files). The following parameters are optional:

lib_file: Specifies the name of the output library file to create. Otherwise the lib_file() method will be consulted, passing it the name of the first entry in objects.
module_name: Specifies the name of the Perl module that will be created by linking. On platforms that need to do prelinking (Win32, OS/2, etc.) this is a required parameter.
extra_linker_flags: Any additional flags you wish to pass to the linker.

On platforms where need_prelink() returns true, prelink() will be called automatically.

The operation of this method is also affected by the lddlflags, shrpenv, and ld entries in Config.pm.

link_executable

Invokes the linker to produce an executable file from object files. In scalar context, the name of the executable file is returned. In list context, the executable file and any temporary files created are returned. A required objects parameter contains the name of the object files to process, either in a string (for one object file) or list reference (for one or more files). The optional parameters are the same as link with exception for

exe_file: Specifies the name of the output executable file to create. Otherwise the exe_file() method will be consulted, passing it the name of the first entry in objects.

object_file

my $object_file = $b->object_file($source_file);

Converts the name of a C source file to the most natural name of an output object file to create from it. For instance, on Unix the source file foo.c would result in the object file foo.o.

lib_file

my $lib_file = $b->lib_file($object_file);

Converts the name of an object file to the most natural name of a output library file to create from it. For instance, on Mac OS X the object file foo.o would result in the library file foo.bundle.

exe_file

my $exe_file = $b->exe_file($object_file);

Converts the name of an object file to the most natural name of an executable file to create from it. For instance, on Mac OS X the object file foo.o would result in the executable file foo, and on Windows it would result in foo.exe.

prelink

On certain platforms like Win32, OS/2, VMS, and AIX, it is necessary to perform some actions before invoking the linker. The ExtUtils::Mksymlists module does this, writing files used by the linker during the creation of shared libraries for dynamic extensions. The names of any files written will be returned as a list.

Several parameters correspond to ExtUtils::Mksymlists::Mksymlists() options, as follows:

 Mksymlists()   prelink()          type
-------------|-------------------|-------------------
 NAME        |  dl_name          | string (required)
 DLBASE      |  dl_base          | string
 FILE        |  dl_file          | string
 DL_VARS     |  dl_vars          | array reference
 DL_FUNCS    |  dl_funcs         | hash reference
 FUNCLIST    |  dl_func_list     | array reference
 IMPORTS     |  dl_imports       | hash reference
 VERSION     |  dl_version       | string

Please see the documentation for ExtUtils::Mksymlists for the details of what these parameters do.

need_prelink

Returns true on platforms where prelink() should be called during linking, and false otherwise.

extra_link_args_after_prelink

Returns list of extra arguments to give to the link command; the arguments are the same as for prelink(), with addition of array reference to the results of prelink(); this reference is indexed by key prelink_res.

TO DO

Currently this has only been tested on Unix and doesn't contain any of the Windows-specific code from the Module::Build project. I'll do that next.

HISTORY

This module is an outgrowth of the Module::Build project, to which there have been many contributors. Notably, Randy W. Sims submitted lots of code to support 3 compilers on Windows and helped with various other platform-specific issues. Ilya Zakharevich has contributed fixes for OS/2; John E. Malmberg and Peter Prymmer have done likewise for VMS.

SUPPORT

ExtUtils::CBuilder is maintained as part of the Perl 5 core. Please submit any bug reports via the perlbug tool included with Perl 5. Bug reports will be included in the Perl 5 ticket system at http://rt.perl.org.

The Perl 5 source code is available at <http://perl5.git.perl.org/perl.git> and ExtUtils-CBuilder may be found in the dist/ExtUtils-CBuilder directory of the repository.

AUTHOR

Ken Williams, kwilliams@cpan.org

Additional contributions by The Perl 5 Porters.

COPYRIGHT

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)