Updated perl-IO-Compress package fixes security vulnerabilities
Publication date: 29 May 2026Modification date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-15649 , CVE-2026-48959 , CVE-2026-48961 , CVE-2026-48962
Description
The updated package fixes security vulnerabilities:
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught
exception when parsing zip header with malformed DOS date.
(CVE-2025-15649)
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU
exhaustion via per-byte read loop in fastForward. (CVE-2026-48959)
IO::Compress versions before 2.220 for Perl can execute arbitrary code
in File::GlobMapper via an attacker-controlled output glob.
(CVE-2026-48962)
References
- https://bugs.mageia.org/show_bug.cgi?id=35593
- https://www.openwall.com/lists/oss-security/2026/05/27/1
- https://www.openwall.com/lists/oss-security/2026/05/27/2
- https://www.openwall.com/lists/oss-security/2026/05/27/3
- https://www.openwall.com/lists/oss-security/2026/05/27/4
- https://www.cve.org/CVERecord?id=CVE-2025-15649
- https://www.cve.org/CVERecord?id=CVE-2026-48959
- https://www.cve.org/CVERecord?id=CVE-2026-48961
- https://www.cve.org/CVERecord?id=CVE-2026-48962
SRPMS
9/core
- perl-IO-Compress-2.204.0-1.1.mga9