CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/06/08 19:37:30
Modified files:
gnu/usr.bin/perl/cpan/IO-Compress/bin: zipdetails
gnu/usr.bin/perl/cpan/IO-Compress/lib/File: GlobMapper.pm
gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Uncompress: Unzip.pm
gnu/usr.bin/perl/cpan/IO-Compress/t: globmapper.t
Log message:
Upstream patches for IO-Compress perl dist
* CVE-2026-48961
https://lists.security.metacpan.org/cve-announce/msg/40434383/
IO::Compress versions from 2.207 before 2.220 for Perl ship a
zipdetails CLI tool that crashes with undefined subroutine on
Info-ZIP Unix Extra Field with 8-byte UID or GID
* CVE-2026-48962
https://lists.security.metacpan.org/cve-announce/msg/40434385/
IO::Compress versions before 2.220 for Perl can execute arbitrary
code in File::GlobMapper via an attacker-controlled output glob
* CVE-2025-15649
https://lists.security.metacpan.org/cve-announce/msg/40434380/
IO::Uncompress::Unzip versions before 2.215 for Perl propagate
uncaught exception when parsing zip header with malformed DOS date
* CVE-2026-48959
https://lists.security.metacpan.org/cve-announce/msg/40434381/
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU
exhaustion via per-byte read loop in fastForward
