Security Advisories (23)
CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2017-12837 (2017-09-19)

Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2026-57432 (2026-07-13)

Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of bounds. A template derived from untrusted input can read heap memory past the buffer and return it to the caller.

CVE-2026-8376 (2026-05-25)

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2017-12883 (2017-09-19)

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2026-13221 (2026-07-13)

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.

CVE-2026-4176 (2026-03-29)

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

CVE-2016-6185 (2016-08-02)

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6798 (2018-04-17)

An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.

CVE-2018-6797 (2018-04-17)

An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

NAME

Test::Builder::Tester - test testsuites that have been built with Test::Builder

SYNOPSIS

use Test::Builder::Tester tests => 1;
use Test::More;

test_out("not ok 1 - foo");
test_fail(+1);
fail("foo");
test_test("fail works");

DESCRIPTION

A module that helps you test testing modules that are built with Test::Builder.

The testing system is designed to be used by performing a three step process for each test you wish to test. This process starts with using test_out and test_err in advance to declare what the testsuite you are testing will output with Test::Builder to stdout and stderr.

You then can run the test(s) from your test suite that call Test::Builder. At this point the output of Test::Builder is safely captured by Test::Builder::Tester rather than being interpreted as real test output.

The final stage is to call test_test that will simply compare what you predeclared to what Test::Builder actually outputted, and report the results back with a "ok" or "not ok" (with debugging) to the normal output.

Functions

These are the six methods that are exported as default.

test_out
test_err

Procedures for predeclaring the output that your test suite is expected to produce until test_test is called. These procedures automatically assume that each line terminates with "\n". So

test_out("ok 1","ok 2");

is the same as

test_out("ok 1\nok 2");

which is even the same as

test_out("ok 1");
test_out("ok 2");

Once test_out or test_err (or test_fail or test_diag) have been called, all further output from Test::Builder will be captured by Test::Builder::Tester. This means that you will not be able perform further tests to the normal output in the normal way until you call test_test (well, unless you manually meddle with the output filehandles)

test_fail

Because the standard failure message that Test::Builder produces whenever a test fails will be a common occurrence in your test error output, and because it has changed between Test::Builder versions, rather than forcing you to call test_err with the string all the time like so

test_err("# Failed test ($0 at line ".line_num(+1).")");

test_fail exists as a convenience function that can be called instead. It takes one argument, the offset from the current line that the line that causes the fail is on.

test_fail(+1);

This means that the example in the synopsis could be rewritten more simply as:

test_out("not ok 1 - foo");
test_fail(+1);
fail("foo");
test_test("fail works");
test_diag

As most of the remaining expected output to the error stream will be created by Test::Builder's diag function, Test::Builder::Tester provides a convenience function test_diag that you can use instead of test_err.

The test_diag function prepends comment hashes and spacing to the start and newlines to the end of the expected output passed to it and adds it to the list of expected error output. So, instead of writing

test_err("# Couldn't open file");

you can write

test_diag("Couldn't open file");

Remember that Test::Builder's diag function will not add newlines to the end of output and test_diag will. So to check

Test::Builder->new->diag("foo\n","bar\n");

You would do

test_diag("foo","bar")

without the newlines.

test_test

Actually performs the output check testing the tests, comparing the data (with eq) that we have captured from Test::Builder against what was declared with test_out and test_err.

This takes name/value pairs that effect how the test is run.

title (synonym 'name', 'label')

The name of the test that will be displayed after the ok or not ok.

skip_out

Setting this to a true value will cause the test to ignore if the output sent by the test to the output stream does not match that declared with test_out.

skip_err

Setting this to a true value will cause the test to ignore if the output sent by the test to the error stream does not match that declared with test_err.

As a convenience, if only one argument is passed then this argument is assumed to be the name of the test (as in the above examples.)

Once test_test has been run test output will be redirected back to the original filehandles that Test::Builder was connected to (probably STDOUT and STDERR,) meaning any further tests you run will function normally and cause success/errors for Test::Harness.

line_num

A utility function that returns the line number that the function was called on. You can pass it an offset which will be added to the result. This is very useful for working out the correct text of diagnostic functions that contain line numbers.

Essentially this is the same as the __LINE__ macro, but the line_num(+3) idiom is arguably nicer.

In addition to the six exported functions there exists one function that can only be accessed with a fully qualified function call.

color

When test_test is called and the output that your tests generate does not match that which you declared, test_test will print out debug information showing the two conflicting versions. As this output itself is debug information it can be confusing which part of the output is from test_test and which was the original output from your original tests. Also, it may be hard to spot things like extraneous whitespace at the end of lines that may cause your test to fail even though the output looks similar.

To assist you test_test can colour the background of the debug information to disambiguate the different types of output. The debug output will have its background coloured green and red. The green part represents the text which is the same between the executed and actual output, the red shows which part differs.

The color function determines if colouring should occur or not. Passing it a true or false value will enable or disable colouring respectively, and the function called with no argument will return the current setting.

To enable colouring from the command line, you can use the Text::Builder::Tester::Color module like so:

perl -Mlib=Text::Builder::Tester::Color test.t

Or by including the Test::Builder::Tester::Color module directly in the PERL5LIB.

BUGS

Calls Test::Builder->no_ending turning off the ending tests. This is needed as otherwise it will trip out because we've run more tests than we strictly should have and it'll register any failures we had that we were testing for as real failures.

The color function doesn't work unless Term::ANSIColor is compatible with your terminal.

Bugs (and requests for new features) can be reported to the author though the CPAN RT system: http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Test-Builder-Tester

AUTHOR

Copyright Mark Fowler <mark@twoshortplanks.com> 2002, 2004.

Some code taken from Test::More and Test::Catch, written by Michael G Schwern <schwern@pobox.com>. Hence, those parts Copyright Micheal G Schwern 2001. Used and distributed with permission.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

MAINTAINERS

Chad Granum <exodist@cpan.org>

NOTES

Thanks to Richard Clamp <richardc@unixbeard.net> for letting me use his testing system to try this module out on.

SEE ALSO

Test::Builder, Test::Builder::Tester::Color, Test::More.