Bug#1140426: libcrypt-openssl-pkcs12-perl: CVE-2026-9265
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 20 09:28:35 BST 2026
Source: libcrypt-openssl-pkcs12-perl
Version: 1.95-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/55
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for libcrypt-openssl-pkcs12-perl.
CVE-2026-9265[0]:
| Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap
| OOB read in print_attribute UTF8STRING path. print_attribute()
| copies a UTF8STRING ASN.1 attribute value into a heap buffer sized
| exactly to its declared length via strncpy, leaving no NUL
| terminator. Downstream callers run strlen() on the result and pass
| the inflated length to newSVpvn(), copying attacker-influenced
| adjacent heap bytes into a Perl scalar.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9265
https://www.cve.org/CVERecord?id=CVE-2026-9265
[1] https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/55
[2] https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/a7bd2f319fa8aab8177b3d767ea06dd85ceb3173
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list