/ 
perl-5.21.3
River stage five • 12548 direct dependents • 35191 total dependents
⭐ Starred 2013 GitHub stars
/ ExtUtils::XSSymSet
Security Advisories (19)
CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6797 (2018-04-17)

An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2017-12883 (2017-09-19)

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.

CVE-2017-12837 (2017-09-19)

Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

ExtUtils::XSSymSet - keep sets of symbol names palatable to the VMS linker

SYNOPSIS

use ExtUtils::XSSymSet;

$set = new ExtUtils::XSSymSet;
while ($sym = make_symbol()) { $set->addsym($sym); }
foreach $safesym ($set->all_trimmed) {
  print "Processing $safesym (derived from ",
      $self->get_orig($safesym), ")\n";
  do_stuff($safesym);
}

$safesym = ExtUtils::XSSymSet->trimsym($onesym);

DESCRIPTION

Since the VMS linker distinguishes symbols based only on the first 31 characters of their names, it is occasionally necessary to shorten symbol names in order to avoid collisions. (This is especially true of names generated by xsubpp, since prefixes generated by nested package names can become quite long.) ExtUtils::XSSymSet provides functions to shorten names in a consistent fashion, and to track a set of names to insure that each is unique. While designed with xsubpp in mind, it may be used with any set of strings.

This package supplies the following functions, all of which should be called as methods.

new([$maxlen[,$silent]])

Creates an empty ExtUtils::XSSymset set of symbols. This function may be called as a static method or via an existing object. If $maxlen or $silent are specified, they are used as the defaults for maximum name length and warning behavior in future calls to addsym() or trimsym() via this object. If the compiler has been instructed to do its own symbol shortening via $Config{'useshortenedsymbols'}, a value of 2048 is assumed for $maxlen as a way of bypassing the shortening done by this module.

addsym($name[,$maxlen[,$silent]])

Creates a symbol name from $name, using the methods described under trimsym(), which is unique in this set of symbols, and returns the new name. $name and its resultant are added to the set, and any future calls to addsym() specifying the same $name will return the same result, regardless of the value of $maxlen specified. Unless $silent is true, warnings are output if $name had to be trimmed or changed in order to avoid collision with an existing symbol name. $maxlen and $silent default to the values specified when this set of symbols was created. This method must be called via an existing object.

trimsym($name[,$maxlen[,$silent]])

Creates a symbol name $maxlen or fewer characters long from $name and returns it. If $name is too long, it first tries to shorten it by removing duplicate characters, then by periodically removing non-underscore characters, and finally, if necessary, by periodically removing characters of any type. $maxlen defaults to 31. Unless $silent is true, a warning is output if $name is altered in any way. This function may be called either as a static method or via an existing object, but in the latter case no check is made to insure that the resulting name is unique in the set of symbols. If the compiler has been instructed to do its own symbol shortening via $Config{'useshortenedsymbols'}, a value of 2048 is assumed for $maxlen as a way of bypassing the shortening done by this module.

delsym($name)

Removes $name from the set of symbols, where $name is the original symbol name passed previously to addsym(). If $name existed in the set of symbols, returns its "trimmed" equivalent, otherwise returns undef. This method must be called via an existing object.

get_orig($trimmed)

Returns the original name which was trimmed to $trimmed by a previous call to addsym(), or undef if $trimmed does not correspond to a member of this set of symbols. This method must be called via an existing object.

get_trimmed($name)

Returns the trimmed name which was generated from $name by a previous call to addsym(), or undef if $name is not a member of this set of symbols. This method must be called via an existing object.

all_orig()

Returns a list containing all of the original symbol names from this set.

all_trimmed()

Returns a list containing all of the trimmed symbol names from this set.

AUTHOR

Charles Bailey <bailey@newman.upenn.edu>

REVISION

Last revised 8-Oct-2010, for Perl 5.13.6.