Package: perl Version: 5.40.1-6 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], [email protected] Forwarded: https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8 Control: found -1 5.32.1-4 Control: found -1 5.36.0-1 Control: found -1 5.42.2-1
The following vulnerability was published[0] for IO-Compress: CVE ID: CVE-2025-15649 Distribution: IO-Compress Versions: before 2.215 MetaCPAN: https://metacpan.org/dist/IO-Compress VCS Repo: https://github.com/pmqs/IO-Compress IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date Description ----------- IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError. This CPAN module is shipped in both libio-compress-perl and perl. The libio-compress-perl package was already fixed for sid + forky in version 2.215-1. Copying the libio-compress-perl maintainers, and Salvatore for his security hat. Not sure if we want to track this separately for the libio-compress-perl package at this point. Feel free to clone this bug if it helps. [0] https://lists.security.metacpan.org/cve-announce/msg/40434380/ -- Niko Tyni [email protected]
