These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
IO::Compress versions before 2.220 for Perl contain a code injection vulnerability in File::GlobMapper. The _parseOutputGlob() function wraps attacker-supplied output glob strings in double quotes and stores them in parser state; _getFiles() subsequently passes this stored expression through eval STRING. A literal double quote character in the output glob terminates the wrapper, allowing subsequent charac [truncated]
A defect in the zipdetails CLI tool bundled with IO::Compress for Perl causes the utility to crash when processing ZIP archives containing Info-ZIP Unix Extra Fields (tag 0x7875) with 8-byte UID or GID values. The crash occurs due to a function name mismatch: decode_ux() calls unpackValueQ() but the actual defined function is unpackValue_Q() (with underscore), resulting in an undefined subroutine error an [truncated]
IO::Uncompress::Unzip versions before 2.220 contain a logic error in the fastForward() function that enables CPU exhaustion attacks. The vulnerability stems from an incorrect comparison where the digit count of an offset value (1-19 characters) is compared against chunk size rather than the actual offset value. This causes the chunk size to shrink dramatically from 16 KiB to 1-19 bytes per iteration, crea [truncated]
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. The _dosToUnixTime() function decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out o [truncated]