On Thu, Jun 04, 2026 at 11:00:50PM +0300, Niko Tyni wrote:
> Package: perl
> Version: 5.40.1-6
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: [email protected]
> Forwarded: 
> https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158
> Control: found -1 5.32.1-4
> Control: found -1 5.36.0-1
> Control: found -1 5.42.2-1
> 
> The following vulnerability was published[0] for Archive-Tar (bundled with 
> perl):
> 
>   CVE ID:  CVE-2026-42496
>   Distribution:  Archive-Tar
>   Versions:  before 3.08
> 
>   MetaCPAN:  https://metacpan.org/dist/Archive-Tar
>   VCS Repo:  https://github.com/jib/archive-tar-new
> 
>   Archive::Tar versions before 3.08 for Perl extract symlinks with
>   attacker controlled targets outside the extraction directory
>   
>   Description
>   -----------
>   Archive::Tar versions before 3.08 for Perl extract symlinks with
>   attacker controlled targets outside the extraction directory.
>   
>   _make_special_file() passes the tar header's linkname to symlink()
>   without validating it against absolute paths or .. segments. The
>   secure-extract mode check that guards regular file extraction does not
>   cover the symlink target.
>   
>   A subsequent open through the extracted name reads or writes the
>   attacker chosen path.
>   
> [0] https://lists.security.metacpan.org/cve-announce/msg/40396459/

While testing Perl-5.44.0-RC1, I noticed that libmodule-cpants-analyse-perl
will need an update to keep it building after this.

See https://github.com/Perl/perl5/issues/24452

-- 
Niko

Reply via email to