Fabre

#1138855 libio-compress-perl: CVE-2026-48961 #1138855

Package:: perl

Source:: perl

Description:: Larry Wall's Practical Extraction and Report Language

Submitter:: Salvatore Bonaccorso

Date:: 2026-06-06 17:35:05 UTC

Severity:: normal

Tags:

#1138855#5

Date:: 2026-05-27 15:17:59 UTC

From:

To:

Hi,

The following vulnerability was published for libio-compress-perl.

CVE-2026-48961[0]:
| IO::Compress versions from 2.207 before 2.220 for Perl ship a
| zipdetails CLI tool that crashes with undefined subroutine on Info-
| ZIP Unix Extra Field with 8-byte UID or GID.  When decode_ux() in
| bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875)
| with UID Size or GID Size set to 8, causing zipdetails to decode an
| 8-byte UID or GID value, it dispatches through decodeLitteEndian(),
| which calls a misnamed helper unpackValueQ. The actual function
| defined in the same file is unpackValue_Q (with underscore); the
| call raises 'Undefined subroutine &main::unpackValueQ' and the
| script exits with status 255.  Library callers of IO::Compress and
| IO::Uncompress are not affected; the defect is in the bundled CLI
| tool.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48961
https://www.cve.org/CVERecord?id=CVE-2026-48961
[1] https://lists.security.metacpan.org/cve-announce/msg/40434383/
[2] https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1138855#12

Date:: 2026-05-27 18:05:46 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
libio-compress-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138052@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libio-compress-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 27 May 2026 19:42:45 +0200
Source: libio-compress-perl
Architecture: source
Version: 2.220-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 1138051 1138052 1138055
Changes:
 libio-compress-perl (2.220-1) unstable; urgency=medium
 .
   * Import upstream version 2.220.
     Fix CVE-2026-48959, CVE-2026-48961, CVE-2026-48962.
     Closes: #1138051, #1138052, #1138055.
   * Declare compliance with Debian Policy 4.7.4.
   * Drop lintian overrides for removed tags.
Checksums-Sha1:
 d93c87c3fca6cdae5f36513f7ff63fa049495945 2605 libio-compress-perl_2.220-1.dsc
 4b92aac7e1733d7ddcc1fda64e633acaa2c453d8 335845 libio-compress-perl_2.220.orig.tar.gz
 ff17095e422d0c4a441f0fd3b031d05f000e8509 7156 libio-compress-perl_2.220-1.debian.tar.xz
Checksums-Sha256:
 418a4a06f3bc1ab60076d4557738952d8b36cd31fc69cf1ab1eb7b3fda5739a5 2605 libio-compress-perl_2.220-1.dsc
 9d96ea291f2c54ef367c7396b857d93ba1ac1c4b2f1bce13ed8a3e5f3eebb627 335845 libio-compress-perl_2.220.orig.tar.gz
 61c3773dfae68a7ac4c250303dba1c493906b966351d4b0bc9a1a0b27ebbb897 7156 libio-compress-perl_2.220-1.debian.tar.xz
Files:
 c4b90d45ad2f9cd3a34115394cb97517 2605 perl optional libio-compress-perl_2.220-1.dsc
 1cc0e0a272f7f7342f209bf154f4e1a6 335845 perl optional libio-compress-perl_2.220.orig.tar.gz
 46c4dc2f0ec711b84a5e39c1770e0b27 7156 perl optional libio-compress-perl_2.220-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoXLehfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbj4g//anlWtdKYGSb7hhq5ax4pnnyh2wl9I7jey/TLK19smkv0vkZZtmdOqJ/u
P2cjZBY5Mi71TKyKgEfGPjZeA9ofi3cuzf+u2wVBwkSjbtdLiywZ4OdKa8CXOzYk
uh7HEUhaGbWjzNWAxJf28ijPkZB9LQ2j93kJ9RIUiixv5vQdx58dzmbgY1mYQd8O
//p6U7gUHzv8/B7xAImOWeAhA2J7QL+hcTVdNJlrJGqck9YixC10BBSTJaytnHiq
jcb2AUBOrOuiW2+AJHONeC/J07gUjLENiLQpf9OVpFysjTopKCema1eb80HgRtBz
dPHAuYDEH19p5eRPGp80fsOLpfahPpbzO2bIOVm+fOZD6U/DyntANtDkKRc8YobK
kpWxzfRWVM0UAOfTwdAkILR27VxA+cqyS0Lkt029rmZ3DPRFdnEENd+7t3WMnWtl
YaDcrP51+6LTeXwnV4n8lSqDuXGJNKYFxR23oUpoyeEjZpFmiIMMCdZwyBPXOMsq
0Vej9BbCisMI+8/OW7t5FZR5k0lys6HoDZFA19wpOlH93mejQ9S7+T7HTIGA9RgN
Lz9LwFLdSW/EcqTCxuAXHnz+WEvCuNmIPAGNETZWY0Dw41KFudm5e4zSZE6ysiZ+
D859C+9jJWsx6uSSBsurPpu2w7KGNbG25grFfmV6/YPF5E6Jhxw=
=y+Af
-----END PGP SIGNATURE-----

#1138855#17

Date:: 2026-06-04 19:31:20 UTC

From:

To:

# CVE-2026-48962 in IO-Compress: all suites affected
clone 1138055 -1
reassign -1 perl 5.40.1-6
found -1 5.32.1-4
found -1 5.36.0-1
found -1 5.42.2-1

# CVE-2026-48961 in IO-Compress: reported as introduced in 2.207 so trixie onwards
clone 1138052 -2
reassign -2 perl 5.40.1-6
found -2 5.42.2-1

# CVE-2026-48959 in IO-Compress: all suites affected
clone 1138051 -3
reassign -3 perl 5.40.1-6
found -3 5.32.1-4
found -3 5.36.0-1
found -3 5.42.2-1

thanks

#1138855#36

Date:: 2026-06-06 17:33:51 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138855@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 06 Jun 2026 17:22:29 +0300
Source: perl
Architecture: source
Version: 5.40.1-8
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Closes: 1137345 1138854 1138855 1138856 1138858 1138863 1138905 1138906
Changes:
 perl (5.40.1-8) unstable; urgency=medium
 .
   * [SECURITY] backport various fixes from upstream:
     + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
         (Closes: #1138863)
     + CVE-2026-7010:  CRLF-validation in HTTP::Tiny.
         (Closes: #1138858)
     + CVE-2026-8376:  Buffer overflow in Perl_study_chunk.
         (Closes: #1137345)
     + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
         (Closes: #1138856)
     + CVE-2026-48961: crash in zipdetails.
         (Closes: #1138855)
     + CVE-2026-48962: code execution in IO-Compress via output globs.
         (Closes: #1138854)
     + buffer overflows in pack().
         (Closes: #1138905)
     + buffer overflow in Storable.
         (Closes: #1138906)
Checksums-Sha1:
 feff9b43463d196f6744b2f51ab3094537900678 2372 perl_5.40.1-8.dsc
 a275dffed86a0d9a43dc87b7ffec3a03b8aab38d 179088 perl_5.40.1-8.debian.tar.xz
 efc987732ec29a37204e0cc26d43d761be2671d3 5338 perl_5.40.1-8_source.buildinfo
Checksums-Sha256:
 0df3684ddbed6c62651b8f682df33d2af54d47ee238958f30fa26ac066ee88d5 2372 perl_5.40.1-8.dsc
 621e16fec9e822ec835071aa3665ebd329142bcd270b86a6f9bb04cb94a1de08 179088 perl_5.40.1-8.debian.tar.xz
 bbf2de68263b588b9b82209e60f9ed9704f7021ffa9b08fab2da43f9c9485b93 5338 perl_5.40.1-8_source.buildinfo
Files:
 d9d1456beca9bb3f5535b82405708bfe 2372 perl standard perl_5.40.1-8.dsc
 46569b65055e962347a20985b9ec245a 179088 perl standard perl_5.40.1-8.debian.tar.xz
 ffcf467b4231949b678af8c4ae3651e3 5338 perl standard perl_5.40.1-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iKcEARMJAC8WIQTuZv2Xfg2x/uVxefeK/rNkDrE5sgUCaiRB+hEcbnR5bmlAZGVi
aWFuLm9yZwAKCRCK/rNkDrE5st5SAX9cPTfxh8ivQ7d4IBnal//ySr/1+zI8TyyB
J09rCB4SqkDM74u0tZtsSeIXuILCJ5UBgKav4TN0s0BVQ/Kv78fVzoAvLfYtm7dn
nojCgyWR8Nw+dYy5Gg04H/JmVY8GWBMzpA==
=Vizr
-----END PGP SIGNATURE-----

#1138855#41

Date:: 2026-06-06 17:33:58 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138855@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 06 Jun 2026 18:02:30 +0300
Source: perl
Architecture: source
Version: 5.42.2-2
Distribution: experimental
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Closes: 1137345 1138854 1138855 1138856 1138858 1138863 1138905 1138906
Changes:
 perl (5.42.2-2) experimental; urgency=medium
 .
   * [SECURITY] backport various fixes from upstream:
     + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
         (Closes: #1138863)
     + CVE-2026-7010:  CRLF-validation in HTTP::Tiny.
         (Closes: #1138858)
     + CVE-2026-8376:  Buffer overflow in Perl_study_chunk.
         (Closes: #1137345)
     + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
         (Closes: #1138856)
     + CVE-2026-48961: crash in zipdetails.
         (Closes: #1138855)
     + CVE-2026-48962: code execution in IO-Compress via output globs.
         (Closes: #1138854)
     + buffer overflows in pack().
         (Closes: #1138905)
     + buffer overflow in Storable.
         (Closes: #1138906)
Checksums-Sha1:
 fac7a2aa4e40bb502f1d0ce479f05bb76f4e7fe1 2372 perl_5.42.2-2.dsc
 9060d73f124395f973a8cfe3d6e412fbb93217ce 175608 perl_5.42.2-2.debian.tar.xz
 9cea33e3faf2aceb567e9db40aa4fff67e9264ad 5338 perl_5.42.2-2_source.buildinfo
Checksums-Sha256:
 e33c40124c7932ccebc7343c768e74347545dabf04b48a7b94a3b8d1a829a15c 2372 perl_5.42.2-2.dsc
 03dc1d547aa8271832042b2a66b8c71a72035c28ca736166fd27dc6d2aaa8afb 175608 perl_5.42.2-2.debian.tar.xz
 1b9c3872189b57ee52820e2d497dd8e99fdfb243e03a872f0013322a801380b2 5338 perl_5.42.2-2_source.buildinfo
Files:
 13b7988bfedecc286305774e1817e7d0 2372 perl standard perl_5.42.2-2.dsc
 0a7ad2361cdc8b893dbcad3628bcd09f 175608 perl standard perl_5.42.2-2.debian.tar.xz
 8ed1e5c781a84858dfb01c5d963d86a3 5338 perl standard perl_5.42.2-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iKcEARMJAC8WIQTuZv2Xfg2x/uVxefeK/rNkDrE5sgUCaiRCvBEcbnR5bmlAZGVi
aWFuLm9yZwAKCRCK/rNkDrE5soOOAXoDqPuy2hIDNgbVMnotKgfi7tU1TjmeDkEC
OfUCv1UOU/zgnn4mqFkVY0EtjSc74iUBf3LHLX7Tab7loNX6UtKcvkCmoY1uXvWf
a7YWnv6aOXsw9oPetRDgHQcOE9AHI6Mz8w==
=YN5x
-----END PGP SIGNATURE-----

#1138855 libio-compress-perl: CVE-2026-48961 #1138855

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)