Your message dated Sat, 06 Jun 2026 17:33:58 +0000
with message-id <[email protected]>
and subject line Bug#1138855: fixed in perl 5.42.2-2
has caused the Debian Bug report #1138855,
regarding libio-compress-perl: CVE-2026-48961
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138855: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138855
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libio-compress-perl
Version: 2.219-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libio-compress-perl.
CVE-2026-48961[0]:
| IO::Compress versions from 2.207 before 2.220 for Perl ship a
| zipdetails CLI tool that crashes with undefined subroutine on Info-
| ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in
| bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875)
| with UID Size or GID Size set to 8, causing zipdetails to decode an
| 8-byte UID or GID value, it dispatches through decodeLitteEndian(),
| which calls a misnamed helper unpackValueQ. The actual function
| defined in the same file is unpackValue_Q (with underscore); the
| call raises 'Undefined subroutine &main::unpackValueQ' and the
| script exits with status 255. Library callers of IO::Compress and
| IO::Uncompress are not affected; the defect is in the bundled CLI
| tool.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-48961
https://www.cve.org/CVERecord?id=CVE-2026-48961
[1] https://lists.security.metacpan.org/cve-announce/msg/40434383/
[2]
https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.42.2-2
Done: Niko Tyni <[email protected]>
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Sat, 06 Jun 2026 18:02:30 +0300
Source: perl
Architecture: source
Version: 5.42.2-2
Distribution: experimental
Urgency: medium
Maintainer: Niko Tyni <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Closes: 1137345 1138854 1138855 1138856 1138858 1138863 1138905 1138906
Changes:
perl (5.42.2-2) experimental; urgency=medium
.
* [SECURITY] backport various fixes from upstream:
+ CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
(Closes: #1138863)
+ CVE-2026-7010: CRLF-validation in HTTP::Tiny.
(Closes: #1138858)
+ CVE-2026-8376: Buffer overflow in Perl_study_chunk.
(Closes: #1137345)
+ CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
(Closes: #1138856)
+ CVE-2026-48961: crash in zipdetails.
(Closes: #1138855)
+ CVE-2026-48962: code execution in IO-Compress via output globs.
(Closes: #1138854)
+ buffer overflows in pack().
(Closes: #1138905)
+ buffer overflow in Storable.
(Closes: #1138906)
Checksums-Sha1:
fac7a2aa4e40bb502f1d0ce479f05bb76f4e7fe1 2372 perl_5.42.2-2.dsc
9060d73f124395f973a8cfe3d6e412fbb93217ce 175608 perl_5.42.2-2.debian.tar.xz
9cea33e3faf2aceb567e9db40aa4fff67e9264ad 5338 perl_5.42.2-2_source.buildinfo
Checksums-Sha256:
e33c40124c7932ccebc7343c768e74347545dabf04b48a7b94a3b8d1a829a15c 2372
perl_5.42.2-2.dsc
03dc1d547aa8271832042b2a66b8c71a72035c28ca736166fd27dc6d2aaa8afb 175608
perl_5.42.2-2.debian.tar.xz
1b9c3872189b57ee52820e2d497dd8e99fdfb243e03a872f0013322a801380b2 5338
perl_5.42.2-2_source.buildinfo
Files:
13b7988bfedecc286305774e1817e7d0 2372 perl standard perl_5.42.2-2.dsc
0a7ad2361cdc8b893dbcad3628bcd09f 175608 perl standard
perl_5.42.2-2.debian.tar.xz
8ed1e5c781a84858dfb01c5d963d86a3 5338 perl standard
perl_5.42.2-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iKcEARMJAC8WIQTuZv2Xfg2x/uVxefeK/rNkDrE5sgUCaiRCvBEcbnR5bmlAZGVi
aWFuLm9yZwAKCRCK/rNkDrE5soOOAXoDqPuy2hIDNgbVMnotKgfi7tU1TjmeDkEC
OfUCv1UOU/zgnn4mqFkVY0EtjSc74iUBf3LHLX7Tab7loNX6UtKcvkCmoY1uXvWf
a7YWnv6aOXsw9oPetRDgHQcOE9AHI6Mz8w==
=YN5x
-----END PGP SIGNATURE-----
pgpWiaBw1hpmR.pgp
Description: PGP signature
--- End Message ---