Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1753

NIXPKGS-2026-1753
published on
Permalink CVE-2025-15649
updated 4 days, 1 hour ago by @LeSuisse Activity log
  • Created suggestion 4 days, 16 hours ago
  • @LeSuisse ignored
    8 packages
    • perlPackages.CompressZlib
    • perlPackages.IOCompressBrotli
    • perl5Packages.IOCompressBrotli
    • perl538Packages.IOCompressBrotli
    • perl540Packages.CompressZlib
    • perl540Packages.IOCompressBrotli
    • perl5Packages.CompressZlib
    • perl538Packages.CompressZlib
    4 days, 1 hour ago
  • @LeSuisse accepted 4 days, 1 hour ago
  • @LeSuisse published on GitHub 4 days, 1 hour ago
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

Affected products

IO-Compress
  • <2.215

Matching in nixpkgs

Ignored packages (8)