Security Advisories (18)

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

perlsource - A guide to the Perl source tree

DESCRIPTION

This document describes the layout of the Perl source tree. If you're hacking on the Perl core, this will help you find what you're looking for.

FINDING YOUR WAY AROUND

The Perl source tree is big. Here's some of the thing you'll find in it:

C code

The C source code and header files mostly live in the root of the source tree. There are a few platform-specific directories which contain C code. In addition, some of the modules shipped with Perl include C or XS code.

See perlinterp for more details on the files that make up the Perl interpreter, as well as details on how it works.

Core modules

Modules shipped as part of the Perl core live in four subdirectories. Two of these directories contain modules that live in the core, and two contain modules that can also be released separately on CPAN. Modules which can be released on cpan are known as "dual-life" modules.

lib/

This directory contains pure-Perl modules which are only released as part of the core. This directory contains all of the modules and their tests, unlike other core modules.
ext/

This directory contains XS-using modules which are only released as part of the core. These modules generally have their Makefile.PL and are laid out more like a typical CPAN module.
dist/

This directory is for dual-life modules where the blead source is canonical. Note that some modules in this directory may not yet have been released separately on CPAN.
cpan/

This directory contains dual-life modules where the CPAN module is canonical. Do not patch these modules directly! Changes to these modules should be submitted to the maintainer of the CPAN module. Once those changes are applied and released, the new version of the module will be incorporated into the core.

For some dual-life modules, it has not yet been determined if the CPAN version or the blead source is canonical. Until that is done, those modules should be in cpan/.

Tests

The Perl core has an extensive test suite. If you add new tests (or new modules with tests), you may need to update the t/TEST file so that the tests are run.

Module tests

Tests for core modules in the lib/ directory are right next to the module itself. For example, we have lib/strict.pm and lib/strict.t.

Tests for modules in ext/ and the dual-life modules are in t/ subdirectories for each module, like a standard CPAN distribution.
t/base/

Tests for the absolute basic functionality of Perl. This includes if, basic file reads and writes, simple regexes, etc. These are run first in the test suite and if any of them fail, something is really broken.
t/cmd/

Tests for basic control structures, if/else, while, subroutines, etc.
t/comp/

Tests for basic issues of how Perl parses and compiles itself.
t/io/

Tests for built-in IO functions, including command line arguments.
t/mro/

Tests for perl's method resolution order implementations (see mro).
t/op/

Tests for perl's built in functions that don't fit into any of the other directories.
t/re/

Tests for regex related functions or behaviour. (These used to live in t/op).
t/run/

Tests for features of how perl actually runs, including exit codes and handling of PERL* environment variables.
t/uni/

Tests for the core support of Unicode.
t/win32/

Windows-specific tests.
t/porting/

Tests the state of the source tree for various common errors. For example, it tests that everyone who is listed in the git log has a corresponding entry in the AUTHORS file.
t/lib/

The old home for the module tests, you shouldn't put anything new in here. There are still some bits and pieces hanging around in here that need to be moved. Perhaps you could move them? Thanks!
t/x2p

A test suite for the s2p converter.

Documentation

All of the core documentation intended for end users lives in pod/. Individual modules in lib/, ext/, dist/, and cpan/ usually have their own documentation, either in the Module.pm file or an accompanying Module.pod file.

Finally, documentation intended for core Perl developers lives in the Porting/ directory.

Hacking toolks and documentation

The Porting directory contains a grab bag of code and documentation intended to help porters work on Perl. Some of the highlights include:

check*

These are scripts which will check the source things like ANSI C violations, POD encoding issues, etc.
Maintainers, Maintainers.pl, and Maintainers.pm

These files contain information on who maintains which modules. Run perl Porting/Maintainers -M Module::Name to find out more information about a dual-life module.
podtidy

Tidies a pod file. It's a good idea to run this on a pod file you've patched.

Build system

The Perl build system starts with the Configure script in the root directory.

Platform-specific pieces of the build system also live in platform-specific directories like win32/, vms/, etc.

The Configure script is ultimately responsible for generating a Makefile.

The build system that Perl uses is called metaconfig. This system is maintained separately from the Perl core.

The metaconfig system has its own git repository. Please see its README file in http://perl5.git.perl.org/metaconfig.git/ for more details.

The Cross directory contains various files related to cross-compiling Perl. See Cross/README for more details.

AUTHORS

This file everyone who's contributed to Perl. If you submit a patch, you should add your name to this file as part of the patch.

MANIFEST

The MANIFEST file in the root of the source tree contains a list of every file in the Perl core, as well as a brief description of each file.

You can get an overview of all the files with this command:

% perl -lne 'print if /^[^\/]+\.[ch]\s+/' MANIFEST

To install P5re, copy and paste the appropriate command in to your terminal.

cpanm

cpanm P5re

CPAN shell

perl -MCPAN -e shell
install P5re

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)