Bug#1138863: IO-Compress: CVE-2025-15649
Niko Tyni
ntyni at debian.org
Thu Jun 4 21:11:15 BST 2026
Package: perl
Version: 5.40.1-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, libio-compress-perl at packages.debian.org
Forwarded: https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8
Control: found -1 5.32.1-4
Control: found -1 5.36.0-1
Control: found -1 5.42.2-1
The following vulnerability was published[0] for IO-Compress:
CVE ID: CVE-2025-15649
Distribution: IO-Compress
Versions: before 2.215
MetaCPAN: https://metacpan.org/dist/IO-Compress
VCS Repo: https://github.com/pmqs/IO-Compress
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught
exception when parsing zip header with malformed DOS date
Description
-----------
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught
exception when parsing zip header with malformed DOS date.
_dosToUnixTime() decodes the local-file-header last-modification date
field and calls Time::Local::timelocal() without an eval guard. A
header whose date field decodes to an out-of-range month, day, or hour
causes timelocal() to die.
The exception propagates out of IO::Uncompress::Unzip->new($file) where
callers expect undef plus $UnzipError.
This CPAN module is shipped in both libio-compress-perl and perl. The
libio-compress-perl package was already fixed for sid + forky in version
2.215-1.
Copying the libio-compress-perl maintainers, and Salvatore for his security
hat. Not sure if we want to track this separately for the libio-compress-perl
package at this point. Feel free to clone this bug if it helps.
[0] https://lists.security.metacpan.org/cve-announce/msg/40434380/
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list