Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1766

NIXPKGS-2026-1766
published on
Permalink CVE-2026-48959
updated 4 days ago by @LeSuisse Activity log
  • Created suggestion 4 days, 15 hours ago
  • @LeSuisse ignored
    10 packages
    • perlPackages.CompressZlib
    • perl538Packages.IOCompress
    • perl540Packages.IOCompress
    • perl538Packages.CompressZlib
    • perl540Packages.CompressZlib
    • perl5Packages.CompressZlib
    • perlPackages.IOCompressBrotli
    • perl5Packages.IOCompressBrotli
    • perl538Packages.IOCompressBrotli
    • perl540Packages.IOCompressBrotli
    4 days ago
  • @LeSuisse restored
    2 packages
    • perl540Packages.IOCompress
    • perl538Packages.IOCompress
    4 days ago
  • @LeSuisse accepted 4 days ago
  • @LeSuisse published on GitHub 4 days ago
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.

Affected products

IO-Compress
  • <2.220

Matching in nixpkgs

Ignored packages (8)