Security Advisories (4)

CVE-2025-15649 (2026-05-27)

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

CVE-2026-48959 (2026-05-27)

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.

CVE-2026-48961 (2026-05-27)

IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.

CVE-2026-48962 (2026-05-27)

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.

NAME

File::GlobMapper - Extend File Glob to Allow Input and Output Files

SYNOPSIS

use File::GlobMapper qw( globmap );

my $aref = globmap $input => $output
    or die $File::GlobMapper::Error ;

my $gm = File::GlobMapper->new( $input => $output )
    or die $File::GlobMapper::Error ;

DESCRIPTION

This module needs Perl5.005 or better.

This module takes the existing File::Glob module as a starting point and extends it to allow new filenames to be derived from the files matched by File::Glob.

This can be useful when carrying out batch operations on multiple files that have both an input filename and output filename and the output file can be derived from the input filename. Examples of operations where this can be useful include, file renaming, file copying and file compression.

Behind The Scenes

To help explain what File::GlobMapper does, consider what code you would write if you wanted to rename all files in the current directory that ended in .tar.gz to .tgz. So say these files are in the current directory

alpha.tar.gz
beta.tar.gz
gamma.tar.gz

and they need renamed to this

alpha.tgz
beta.tgz
gamma.tgz

Below is a possible implementation of a script to carry out the rename (error cases have been omitted)

foreach my $old ( glob "*.tar.gz" )
{
    my $new = $old;
    $new =~ s#(.*)\.tar\.gz$#$1.tgz# ;

    rename $old => $new
        or die "Cannot rename '$old' to '$new': $!\n;
}

Notice that a file glob pattern *.tar.gz was used to match the .tar.gz files, then a fairly similar regular expression was used in the substitute to allow the new filename to be created.

Given that the file glob is just a cut-down regular expression and that it has already done a lot of the hard work in pattern matching the filenames, wouldn't it be handy to be able to use the patterns in the fileglob to drive the new filename?

Well, that's exactly what File::GlobMapper does.

Here is same snippet of code rewritten using globmap

for my $pair (globmap '<*.tar.gz>' => '<#1.tgz>' )
{
    my ($from, $to) = @$pair;
    rename $from => $to
        or die "Cannot rename '$old' to '$new': $!\n;
}

So how does it work?

Behind the scenes the globmap function does a combination of a file glob to match existing filenames followed by a substitute to create the new filenames.

Notice how both parameters to globmap are strings that are delimited by <>. This is done to make them look more like file globs - it is just syntactic sugar, but it can be handy when you want the strings to be visually distinctive. The enclosing <> are optional, so you don't have to use them - in fact the first thing globmap will do is remove these delimiters if they are present.

The first parameter to globmap, *.tar.gz, is an Input File Glob. Once the enclosing "< ... >" is removed, this is passed (more or less) unchanged to File::Glob to carry out a file match.

Next the fileglob *.tar.gz is transformed behind the scenes into a full Perl regular expression, with the additional step of wrapping each transformed wildcard metacharacter sequence in parenthesis.

In this case the input fileglob *.tar.gz will be transformed into this Perl regular expression

([^/]*)\.tar\.gz

Wrapping with parenthesis allows the wildcard parts of the Input File Glob to be referenced by the second parameter to globmap, #1.tgz, the Output File Glob. This parameter operates just like the replacement part of a substitute command. The difference is that the #1 syntax is used to reference sub-patterns matched in the input fileglob, rather than the $1 syntax that is used with perl regular expressions. In this case #1 is used to refer to the text matched by the * in the Input File Glob. This makes it easier to use this module where the parameters to globmap are typed at the command line.

The final step involves passing each filename matched by the *.tar.gz file glob through the derived Perl regular expression in turn and expanding the output fileglob using it.

The end result of all this is a list of pairs of filenames. By default that is what is returned by globmap. In this example the data structure returned will look like this

( ['alpha.tar.gz' => 'alpha.tgz'],
  ['beta.tar.gz'  => 'beta.tgz' ],
  ['gamma.tar.gz' => 'gamma.tgz']
)

Each pair is an array reference with two elements - namely the from filename, that File::Glob has matched, and a to filename that is derived from the from filename.

Limitations

File::GlobMapper has been kept simple deliberately, so it isn't intended to solve all filename mapping operations. Under the hood File::Glob (or for older versions of Perl, File::BSDGlob) is used to match the files, so you will never have the flexibility of full Perl regular expression.

Input File Glob

The syntax for an Input FileGlob is identical to File::Glob, except for the following

No nested {}
Whitespace does not delimit fileglobs.
The use of parenthesis can be used to capture parts of the input filename.
If an Input glob matches the same file more than once, only the first will be used.

The syntax

~

~user

.

Matches a literal '.'. Equivalent to the Perl regular expression

\.

*

Matches zero or more characters, except '/'. Equivalent to the Perl regular expression

[^/]*

?

Matches zero or one character, except '/'. Equivalent to the Perl regular expression

[^/]?

\

Backslash is used, as usual, to escape the next character.

[]

Character class.

{,}

Alternation

()

Capturing parenthesis that work just like perl

Any other character it taken literally.

Output File Glob

The Output File Glob is a normal string, with 2 glob-like features.

The first is the '*' metacharacter. This will be replaced by the complete filename matched by the input file glob. So

*.c *.Z

The second is

Output FileGlobs take the

"*": The "*" character will be replaced with the complete input filename.
#1: Patterns of the form /#\d/ will be replaced with the

Returned Data

EXAMPLES

A Rename script

Below is a simple "rename" script that uses globmap to determine the source and destination filenames.

use File::GlobMapper qw(globmap) ;
use File::Copy;

die "rename: Usage rename 'from' 'to'\n"
    unless @ARGV == 2 ;

my $fromGlob = shift @ARGV;
my $toGlob   = shift @ARGV;

my $pairs = globmap($fromGlob, $toGlob)
    or die $File::GlobMapper::Error;

for my $pair (@$pairs)
{
    my ($from, $to) = @$pair;
    move $from => $to ;
}

Here is an example that renames all c files to cpp.

$ rename '*.c' '#1.cpp'

A few example globmaps

Below are a few examples of globmaps

To copy all your .c file to a backup directory

'</my/home/*.c>'    '</my/backup/#1.c>'

If you want to compress all

'</my/home/*.[ch]>'    '<*.gz>'

To uncompress

'</my/home/*.[ch].gz>'    '</my/home/#1.#2>'

AUTHOR

The File::GlobMapper module was written by Paul Marquess, pmqs@cpan.org.

COPYRIGHT AND LICENSE

To install Compress::Zlib, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Compress::Zlib

CPAN shell

perl -MCPAN -e shell
install Compress::Zlib

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)