[From nobody Sat Jun 6 18:35:15 2026 Received: (at submit) by bugs.debian.org; 4 Jun 2026 20:11:19 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-119.5 required=4.0 tests=ALL_TRUSTED,BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FROMDEVELOPER,HAS_PACKAGE, MD5_SHA1_SUM,SPF_HELO_NONE,SPF_PASS,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 150; neutral, 75; spammy, 0. spammytokens: hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <ntyni@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:50560) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <ntyni@debian.org>) id 1wVEPP-00GR7c-2T for submit@bugs.debian.org; Thu, 04 Jun 2026 20:11:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=wROnVxREv7BERSGpbqXyl33XI9FL5QGrqUVVa6pm5LI=; b=QIfxGNc0g4HBBGQc9l9bFCfht5 Irb2C2yKkWhl+X5J5iFjbnw8Y+iJrkJYFyrr4zrN59P8t+oodPmVioo4YBW86IWCFNwNavg4o5ndA ZST3vwbDwhQoVwquzX+Xa4pKhGA4M1WwdJoLrLx3o+1DDxrREiIu9YL6WCfTGs+6vFklYVx1Y9BeU lE5m/F7L9VXxL2eIY6ondFwTC05z4ufGOAsXaRnHti4aoXSntaEndndUxJ9z0lYlKDvtWLDqXBzac VSy3zQfJwHBx0PzuuRLKLeP+G8bWbUvLD+cR6wxd5cV7Iju7AAq0R+ZxPLHWkXelFPTcxrILYwl5w n6QvFzRg==; Received: from authenticated-user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <ntyni@debian.org>) id 1wVEPN-004lRW-02 for submit@bugs.debian.org; Thu, 04 Jun 2026 20:11:18 +0000 Date: Thu, 4 Jun 2026 23:11:15 +0300 From: Niko Tyni <ntyni@debian.org> To: submit@bugs.debian.org Subject: IO-Compress: CVE-2025-15649 Message-ID: <aiHb479eitIA49yJ@app-dd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Debian-User: ntyni Delivered-To: submit@bugs.debian.org Package: perl Version: 5.40.1-6 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, libio-compress-perl@packages.debian.org Forwarded: https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8 Control: found -1 5.32.1-4 Control: found -1 5.36.0-1 Control: found -1 5.42.2-1 The following vulnerability was published[0] for IO-Compress: CVE ID: CVE-2025-15649 Distribution: IO-Compress Versions: before 2.215 MetaCPAN: https://metacpan.org/dist/IO-Compress VCS Repo: https://github.com/pmqs/IO-Compress IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date Description ----------- IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError. This CPAN module is shipped in both libio-compress-perl and perl. The libio-compress-perl package was already fixed for sid + forky in version 2.215-1. Copying the libio-compress-perl maintainers, and Salvatore for his security hat. Not sure if we want to track this separately for the libio-compress-perl package at this point. Feel free to clone this bug if it helps. [0] https://lists.security.metacpan.org/cve-announce/msg/40434380/ -- Niko Tyni ntyni@debian.org ]