OESA-2026-2654

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2654

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2026-2654.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2026-2654

Upstream

CVE-2026-48962

Published

2026-06-12T12:26:22Z

Modified

2026-06-12T12:45:14.466675251Z

Summary

perl-IO-Compress security update

Details

This distribution provides a Perl interface to allow reading and writing of compressed data created with the zlib and bzip2 libraries.

Security Fix(es):

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.

_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.

Arbitrary Perl in the output glob executes at the calling process's privilege.(CVE-2026-48962)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:24.03-LTS-SP1 / perl-IO-Compress

Package

Name: perl-IO-Compress
Purl: pkg:rpm/openEuler/perl-IO-Compress&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.206-3.oe2403sp1

Ecosystem specific

{
    "src": [
        "perl-IO-Compress-2.206-3.oe2403sp1.src.rpm"
    ],
    "noarch": [
        "perl-IO-Compress-2.206-3.oe2403sp1.noarch.rpm",
        "perl-IO-Compress-help-2.206-3.oe2403sp1.noarch.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-2654.json"