Security Advisories (2)

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

NAME

Porting::updateAUTHORS - Library to automatically update AUTHORS and .mailmap based on commit data.

SYNOPSIS

use Porting::updateAUTHORS;

my $updater= Porting::updateAUTHORS->new(
    authors_file => "AUTHORS",
    mailmap_file => ".mailmap",
    exclude_file => "Porting/exclude_contrib.txt",
);
$updater->read_and_update();

DESCRIPTION

This the brain of the Porting/updateAUTHORS.pl script. It is expected to be used from that script and by that script. Most features and options are documented in the Porting/updateAUTHORS.pl and are not explicitly documented here, read the Porting/updateAUTHORS.pl manpage for more details.

METHODS

Porting::updateAUTHORS uses OO as way of managing its internal state. This documents the public methods it exposes.

add_new_mailmap_entries()

If any additions were identified while reading the commits this will inject them into the mailmap_hash so they can be written out. Returns a count of additions found.

check_fix_mailmap_hash()

Analyzes the data contained the in the .mailmap file and applies any automated fixes which are required and which it can automatically perform. Returns a hash of adjusted entries and a hash with additional metadata about the mailmap entries.

new(%opts)

Create a new object. Required parameters are

authors_file
mailmap_file
exclude_file

Other supported parameters are as follows:

verbose
commit_range

this list is not exhaustive. See the code implementing the main() function in Porting/updateAUTHORS.pl for an exhaustive list.

parse_orig_mailmap_hash()

Takes a mailmap_hash and parses it and returns it as an array of array records with the contents:

[ $preferred_name, $preferred_email,
  $other_name, $other_email,
  $line_num ]

read_and_update()

Wraps the other functions in this library and implements the logic and intent of this tool. Takes two arguments, the authors file name, and the mailmap file name. Returns nothing but may modify the AUTHORS file or the .mailmap file. Requires that both files are editable.

read_commit_log()

Read the commit log specified by the property "commit_range" and find any new names it contains.