On Thu, Jun 04, 2026 at 11:00:50PM +0300, Niko Tyni wrote: > Package: perl > Version: 5.40.1-6 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected] > Forwarded: > https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158 > Control: found -1 5.32.1-4 > Control: found -1 5.36.0-1 > Control: found -1 5.42.2-1 > > The following vulnerability was published[0] for Archive-Tar (bundled with > perl): > > CVE ID: CVE-2026-42496 > Distribution: Archive-Tar > Versions: before 3.08 > > MetaCPAN: https://metacpan.org/dist/Archive-Tar > VCS Repo: https://github.com/jib/archive-tar-new > > Archive::Tar versions before 3.08 for Perl extract symlinks with > attacker controlled targets outside the extraction directory > > Description > ----------- > Archive::Tar versions before 3.08 for Perl extract symlinks with > attacker controlled targets outside the extraction directory. > > _make_special_file() passes the tar header's linkname to symlink() > without validating it against absolute paths or .. segments. The > secure-extract mode check that guards regular file extraction does not > cover the symlink target. > > A subsequent open through the extracted name reads or writes the > attacker chosen path. > > [0] https://lists.security.metacpan.org/cve-announce/msg/40396459/
While testing Perl-5.44.0-RC1, I noticed that libmodule-cpants-analyse-perl will need an update to keep it building after this. See https://github.com/Perl/perl5/issues/24452 -- Niko

