Security Advisories (23)

CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2011-0761 (2011-05-13)

Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2009-3626 (2009-10-29)

Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

Archive::Extract - A generic archive extracting mechanism

SYNOPSIS

use Archive::Extract;

### build an Archive::Extract object ###
my $ae = Archive::Extract->new( archive => 'foo.tgz' );

### extract to cwd() ###
my $ok = $ae->extract;

### extract to /tmp ###
my $ok = $ae->extract( to => '/tmp' );

### what if something went wrong?
my $ok = $ae->extract or die $ae->error;

### files from the archive ###
my $files   = $ae->files;

### dir that was extracted to ###
my $outdir  = $ae->extract_path;


### quick check methods ###
$ae->is_tar     # is it a .tar file?
$ae->is_tgz     # is it a .tar.gz or .tgz file?
$ae->is_gz;     # is it a .gz file?
$ae->is_zip;    # is it a .zip file?
$ae->is_bz2;    # is it a .bz2 file?
$ae->is_tbz;    # is it a .tar.bz2 or .tbz file?

### absolute path to the archive you provided ###
$ae->archive;

### commandline tools, if found ###
$ae->bin_tar     # path to /bin/tar, if found
$ae->bin_gzip    # path to /bin/gzip, if found
$ae->bin_unzip   # path to /bin/unzip, if found
$ae->bin_bunzip2 # path to /bin/bunzip2 if found

DESCRIPTION

Archive::Extract is a generic archive extraction mechanism.

It allows you to extract any archive file of the type .tar, .tar.gz, .gz, .Z, tar.bz2, .tbz, .bz2 or .zip without having to worry how it does so, or use different interfaces for each type by using either perl modules, or commandline tools on your system.

See the HOW IT WORKS section further down for details.

METHODS

$ae = Archive::Extract->new(archive => '/path/to/archive',[type => TYPE])

Creates a new Archive::Extract object based on the archive file you passed it. Automatically determines the type of archive based on the extension, but you can override that by explicitly providing the type argument.

Valid values for type are:

tar: Standard tar files, as produced by, for example, /bin/tar. Corresponds to a .tar suffix.
tgz: Gzip compressed tar files, as produced by, for example /bin/tar -z. Corresponds to a .tgz or .tar.gz suffix.
gz: Gzip compressed file, as produced by, for example /bin/gzip. Corresponds to a .gz suffix.
Z: Lempel-Ziv compressed file, as produced by, for example /bin/compress. Corresponds to a .Z suffix.
zip: Zip compressed file, as produced by, for example /bin/zip. Corresponds to a .zip, .jar or .par suffix.
bz2: Bzip2 compressed file, as produced by, for example, /bin/bzip2. Corresponds to a .bz2 suffix.
tbz: Bzip2 compressed tar file, as produced by, for exmample /bin/tar -j. Corresponds to a .tbz or .tar.bz2 suffix.

Returns a Archive::Extract object on success, or false on failure.

$ae->extract( [to => '/output/path'] )

Extracts the archive represented by the Archive::Extract object to the path of your choice as specified by the to argument. Defaults to cwd().

Since .gz files never hold a directory, but only a single file; if the to argument is an existing directory, the file is extracted there, with it's .gz suffix stripped. If the to argument is not an existing directory, the to argument is understood to be a filename, if the archive type is gz. In the case that you did not specify a to argument, the output file will be the name of the archive file, stripped from it's .gz suffix, in the current working directory.

extract will try a pure perl solution first, and then fall back to commandline tools if they are available. See the GLOBAL VARIABLES section below on how to alter this behaviour.

It will return true on success, and false on failure.

On success, it will also set the follow attributes in the object:

$ae->extract_path

This is the directory that the files where extracted to.

$ae->files

This is an array ref with the paths of all the files in the archive, relative to the to argument you specified. To get the full path to an extracted file, you would use:

File::Spec->catfile( $to, $ae->files->[0] );

Note that all files from a tar archive will be in unix format, as per the tar specification.

ACCESSORS

$ae->error([BOOL])

Returns the last encountered error as string. Pass it a true value to get the Carp::longmess() output instead.

$ae->extract_path

This is the directory the archive got extracted to. See extract() for details.

$ae->files

This is an array ref holding all the paths from the archive. See extract() for details.

$ae->archive

This is the full path to the archive file represented by this Archive::Extract object.

$ae->type

This is the type of archive represented by this Archive::Extract object. See accessors below for an easier way to use this. See the new() method for details.

$ae->types

Returns a list of all known types for Archive::Extract's new method.

$ae->is_tgz

Returns true if the file is of type .tar.gz. See the new() method for details.

$ae->is_tar

Returns true if the file is of type .tar. See the new() method for details.

$ae->is_gz

Returns true if the file is of type .gz. See the new() method for details.

$ae->is_Z

Returns true if the file is of type .Z. See the new() method for details.

$ae->is_zip

Returns true if the file is of type .zip. See the new() method for details.

$ae->bin_tar

Returns the full path to your tar binary, if found.

$ae->bin_gzip

Returns the full path to your gzip binary, if found

$ae->bin_unzip

Returns the full path to your unzip binary, if found

$bool = $ae->have_old_bunzip2

Older versions of /bin/bunzip2, from before the bunzip2 1.0 release, require all archive names to end in .bz2 or it will not extract them. This method checks if you have a recent version of bunzip2 that allows any extension, or an older one that doesn't.

HOW IT WORKS

Archive::Extract tries first to determine what type of archive you are passing it, by inspecting its suffix. It does not do this by using Mime magic, or something related. See CAVEATS below.

Once it has determined the file type, it knows which extraction methods it can use on the archive. It will try a perl solution first, then fall back to a commandline tool if that fails. If that also fails, it will return false, indicating it was unable to extract the archive. See the section on GLOBAL VARIABLES to see how to alter this order.

CAVEATS

File Extensions

Archive::Extract trusts on the extension of the archive to determine what type it is, and what extractor methods therefore can be used. If your archives do not have any of the extensions as described in the new() method, you will have to specify the type explicitly, or Archive::Extract will not be able to extract the archive for you.

Supporting Very Large Files

Archive::Extract can use either pure perl modules or command line programs under the hood. Some of the pure perl modules (like Archive::Tar take the entire contents of the archive into memory, which may not be feasible on your system. Consider setting the global variable $Archive::Extract::PREFER_BIN to 1, which will prefer the use of command line programs and won't consume so much memory.

See the GLOBAL VARIABLES section below for details.

Bunzip2 support of arbitrary extensions.

Older versions of /bin/bunzip2 do not support arbitrary file extensions and insist on a .bz2 suffix. Although we do our best to guard against this, if you experience a bunzip2 error, it may be related to this. For details, please see the have_old_bunzip2 method.

GLOBAL VARIABLES

$Archive::Extract::DEBUG

Set this variable to true to have all calls to command line tools be printed out, including all their output. This also enables Carp::longmess errors, instead of the regular carp errors.

Good for tracking down why things don't work with your particular setup.

Defaults to false.

$Archive::Extract::WARN

This variable controls whether errors encountered internally by Archive::Extract should be carp'd or not.

Set to false to silence warnings. Inspect the output of the error() method manually to see what went wrong.

Defaults to true.

$Archive::Extract::PREFER_BIN

This variables controls whether Archive::Extract should prefer the use of perl modules, or commandline tools to extract archives.

Set to true to have Archive::Extract prefer commandline tools.