Security Advisories (14)
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
- https://www.debian.org/security/2018/dsa-4347
- https://usn.ubuntu.com/3834-2/
- https://rt.perl.org/Ticket/Display.html?id=133204
- https://metacpan.org/changes/release/SHAY/perl-5.28.1
- https://metacpan.org/changes/release/SHAY/perl-5.26.3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
- https://lists.debian.org/debian-lts-announce/2018/11/msg00039.html
- https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be
- https://bugzilla.redhat.com/show_bug.cgi?id=1646730
- http://www.securitytracker.com/id/1042181
- https://usn.ubuntu.com/3834-1/
- http://www.securityfocus.com/bid/106145
- https://access.redhat.com/errata/RHSA-2019:0010
- https://access.redhat.com/errata/RHSA-2019:0001
- https://access.redhat.com/errata/RHSA-2019:0109
- https://security.netapp.com/advisory/ntap-20190221-0003/
- https://support.apple.com/kb/HT209600
- https://seclists.org/bugtraq/2019/Mar/42
- http://seclists.org/fulldisclosure/2019/Mar/49
- https://kc.mcafee.com/corporate/index?page=content&id=SB10278
- https://access.redhat.com/errata/RHBA-2019:0327
- https://access.redhat.com/errata/RHSA-2019:1790
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:1942
- https://access.redhat.com/errata/RHSA-2019:2400
- https://security.gentoo.org/glsa/201909-01
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://perldoc.perl.org/perl5281delta
- https://perldoc.perl.org/perl5263delta
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
- https://www.debian.org/security/2018/dsa-4347
- https://rt.perl.org/Public/Bug/Display.html?id=133423
- https://metacpan.org/changes/release/SHAY/perl-5.28.1
- https://metacpan.org/changes/release/SHAY/perl-5.26.3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
- https://bugzilla.redhat.com/show_bug.cgi?id=1646734
- http://www.securitytracker.com/id/1042181
- https://usn.ubuntu.com/3834-1/
- http://www.securityfocus.com/bid/106179
- https://access.redhat.com/errata/RHSA-2019:0010
- https://access.redhat.com/errata/RHSA-2019:0001
- https://security.netapp.com/advisory/ntap-20190221-0003/
- https://security.gentoo.org/glsa/201909-01
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://perldoc.perl.org/perl5281delta
- https://perldoc.perl.org/perl5263delta
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
- https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
- https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
- https://github.com/Perl/perl5/issues/16947
- https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a
- https://github.com/Perl/perl5/issues/17743
- https://security.netapp.com/advisory/ntap-20200611-0001/
- https://security.gentoo.org/glsa/202006-03
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://perldoc.perl.org/perl5283delta
- https://perldoc.perl.org/perl5303delta
- https://perldoc.perl.org/perl5320delta
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
- https://www.debian.org/security/2018/dsa-4347
- https://rt.perl.org/Ticket/Display.html?id=131649
- https://metacpan.org/changes/release/SHAY/perl-5.26.3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
- https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f
- https://bugzilla.redhat.com/show_bug.cgi?id=1646751
- http://www.securitytracker.com/id/1042181
- https://usn.ubuntu.com/3834-1/
- http://www.securityfocus.com/bid/106145
- https://access.redhat.com/errata/RHSA-2019:0010
- https://access.redhat.com/errata/RHSA-2019:0001
- https://security.netapp.com/advisory/ntap-20190221-0003/
- https://security.gentoo.org/glsa/201909-01
- https://www.oracle.com/security-alerts/cpujul2020.html
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
- https://www.debian.org/security/2018/dsa-4347
- https://usn.ubuntu.com/3834-2/
- https://rt.perl.org/Ticket/Display.html?id=133192
- https://metacpan.org/changes/release/SHAY/perl-5.26.3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
- https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62
- https://bugzilla.redhat.com/show_bug.cgi?id=1646738
- http://www.securitytracker.com/id/1042181
- https://usn.ubuntu.com/3834-1/
- https://access.redhat.com/errata/RHSA-2019:0010
- https://access.redhat.com/errata/RHSA-2019:0001
- https://security.netapp.com/advisory/ntap-20190221-0003/
- https://support.apple.com/kb/HT209600
- https://seclists.org/bugtraq/2019/Mar/42
- http://seclists.org/fulldisclosure/2019/Mar/49
- https://security.gentoo.org/glsa/201909-01
- https://www.oracle.com/security-alerts/cpujul2020.html
Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6
- https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch
- https://www.openwall.com/lists/oss-security/2025/05/22/2
- https://github.com/Perl/perl5/issues/23010
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226
- https://github.com/Perl/perl5/issues/10387
- https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads
- https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e
Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
- https://www.cve.org/CVERecord?id=CVE-2026-3381
- https://lists.security.metacpan.org/cve-announce/msg/37638919/
- https://github.com/Perl/perl5/commit/c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94
- https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.221/source/Changes
- https://metacpan.org/release/SHAY/perl-5.40.4/changes
- https://metacpan.org/release/SHAY/perl-5.42.2/changes
Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of bounds. A template derived from untrusted input can read heap memory past the buffer and return it to the caller.
Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
- https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
- https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
- https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
- https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
- https://security.netapp.com/advisory/ntap-20200611-0001/
- https://security.gentoo.org/glsa/202006-03
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://perldoc.perl.org/perl5283delta
- https://perldoc.perl.org/perl5303delta
- https://perldoc.perl.org/perl5320delta
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
- https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
- https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed
- https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
- https://security.netapp.com/advisory/ntap-20200611-0001/
- https://security.gentoo.org/glsa/202006-03
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://perldoc.perl.org/perl5283delta
- https://perldoc.perl.org/perl5303delta
- https://perldoc.perl.org/perl5320delta
Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.
NAME
O - Generic interface to Perl Compiler backends
SYNOPSIS
perl -MO=[-q,]Backend[,OPTIONS] foo.pl
DESCRIPTION
This is the module that is used as a frontend to the Perl Compiler.
If you pass the -q option to the module, then the STDOUT filehandle will be redirected into the variable $O::BEGIN_output during compilation. This has the effect that any output printed to STDOUT by BEGIN blocks or use'd modules will be stored in this variable rather than printed. It's useful with those backends which produce output themselves (Deparse, Concise etc), so that their output is not confused with that generated by the code being compiled.
The -qq option behaves like -q, except that it also closes STDERR after deparsing has finished. This suppresses the "Syntax OK" message normally produced by perl.
CONVENTIONS
Most compiler backends use the following conventions: OPTIONS consists of a comma-separated list of words (no white-space). The -v option usually puts the backend into verbose mode. The -ofile option generates output to file instead of stdout. The -D option followed by various letters turns on various internal debugging flags. See the documentation for the desired backend (named B::Backend for the example above) to find out about that backend.
IMPLEMENTATION
This section is only necessary for those who want to write a compiler backend module that can be used via this module.
The command-line mentioned in the SYNOPSIS section corresponds to the Perl code
use O ("Backend", OPTIONS);
The O::import function loads the appropriate B::Backend module and calls its compile function, passing it OPTIONS. That function is expected to return a sub reference which we'll call CALLBACK. Next, the "compile-only" flag is switched on (equivalent to the command-line option -c) and a CHECK block is registered which calls CALLBACK. Thus the main Perl program mentioned on the command-line is read in, parsed and compiled into internal syntax tree form. Since the -c flag is set, the program does not start running (excepting BEGIN blocks of course) but the CALLBACK function registered by the compiler backend is called.
In summary, a compiler backend module should be called "B::Foo" for some foo and live in the appropriate directory for that name. It should define a function called compile. When the user types
perl -MO=Foo,OPTIONS foo.pl
that function is called and is passed those OPTIONS (split on commas). It should return a sub ref to the main compilation function. After the user's program is loaded and parsed, that returned sub ref is invoked which can then go ahead and do the compilation, usually by making use of the B module's functionality.
BUGS
The -q and -qq options don't work correctly if perl isn't compiled with PerlIO support : STDOUT will be closed instead of being redirected to $O::BEGIN_output.
AUTHOR
Malcolm Beattie, mbeattie@sable.ox.ac.uk
Module Install Instructions
To install less, copy and paste the appropriate command in to your terminal.
cpanm less
perl -MCPAN -e shell
install less
For more information on module installation, please visit the detailed CPAN module installation guide.