rpms/perl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[security][CRITICAL] perl 5.42.0: CVE-2026-4176 require triage #1

New issue
Closed
opened 2026-04-29 04:36:19 +03:00 by sbelikov · 1 comment
sbelikov commented 2026-04-29 04:36:19 +03:00
Owner
Copy link

CVE triage request / Запрос на разбор CVE

Package / Пакет

  • Package: perl
  • Version: 5.42.0
  • EVR: 5.42.0-1
  • Category: toolchain
  • Policy class: core-system
  • NiceOS policy class: -
  • Owner: toolchain-team
  • Severity: CRITICAL
  • Max CVSS: 9.8
  • CVE count: 1

LLM recommendation / Рекомендация LLM

RU

Критическая уязвимость (CVSS 9.8) в модуле Compress::Raw::Zlib, встроенном в пакет perl версии 5.42.0. Уязвимость связана с устаревшей версией библиотеки zlib, используемой внутри модуля.

Немедленно обновить пакет perl до версии 5.42.2-RC1 или новее, где модуль Compress::Raw::Zlib обновлен до версии 2.221 и устранена уязвимость.

Рекомендуемое действие: update_package

Подсказка по целевой версии: 5.42.2-RC1

Проверки: 1. Проверить текущую версию пакета perl через rpm -q perl.
2. Установить обновленную версию (например, 5.42.2-RC1).
3. Проверить версию встроенного модуля Compress::Raw::Zlib (например, через perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION' или аналогичным способом).
4. Убедиться, что версия модуля соответствует 2.221 или выше.

Риски: Полное раскрытие памяти (Heap Buffer Overflow) при обработке сжатых данных, что может привести к выполнению произвольного кода (RCE) на уровне ядра или процесса Perl, если уязвимый модуль вызывается в контексте обработки пользовательских данных.

EN

Critical vulnerability (CVSS 9.8) in the Compress::Raw::Zlib module bundled with perl version 5.42.0. The vulnerability stems from an outdated version of the zlib library used within the module.

Immediately update the perl package to version 5.42.2-RC1 or later, where the Compress::Raw::Zlib module has been updated to version 2.221 and the vulnerability is fixed.

Recommended action: update_package

Target version hint: 5.42.2-RC1

Tests: 1. Check current perl package version via rpm -q perl.
2. Install the updated package (e.g., 5.42.2-RC1).
3. Verify the version of the bundled Compress::Raw::Zlib module (e.g., via perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION' or similar).
4. Ensure the module version is 2.221 or higher.

Risks: Heap Buffer Overflow leading to arbitrary code execution (RCE) when processing compressed data. This can result in remote code execution if the vulnerable module is invoked in a context handling untrusted user data.

CVE candidates from NVD/CPE

CVE Severity CVSS Match NiceOS status Reason
CVE-2026-4176 CRITICAL 9.8 cpe-range needs_triage package version is inside version range

Descriptions

CVE-2026-4176

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.

Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

Maintainer checklist

  • Verify whether each CVE applies to the NiceOS build.
  • Compare NVD data with upstream/vendor advisory.
  • Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
  • If affected, decide update/backport strategy according to package policy class.
  • Run package-class-specific build, upgrade and regression tests.
  • Add/update niceos_cve_triage entry.
  • Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-4176"
  ],
  "fingerprint": "3fb1ea5240d0b6bd75c9",
  "generated_at": "2026-04-29T01:36:18Z",
  "package": "perl",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "5.42.0"
}
<!-- niceos-cve-fingerprint: 3fb1ea5240d0b6bd75c9 --> # CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `perl` - Version: `5.42.0` - EVR: `5.42.0-1` - Category: `toolchain` - Policy class: `core-system` - NiceOS policy class: `-` - Owner: `toolchain-team` - Severity: `CRITICAL` - Max CVSS: `9.8` - CVE count: `1` ## LLM recommendation / Рекомендация LLM ### RU Критическая уязвимость (CVSS 9.8) в модуле Compress::Raw::Zlib, встроенном в пакет perl версии 5.42.0. Уязвимость связана с устаревшей версией библиотеки zlib, используемой внутри модуля. Немедленно обновить пакет perl до версии 5.42.2-RC1 или новее, где модуль Compress::Raw::Zlib обновлен до версии 2.221 и устранена уязвимость. **Рекомендуемое действие:** `update_package` **Подсказка по целевой версии:** `5.42.2-RC1` **Проверки:** 1. Проверить текущую версию пакета perl через rpm -q perl. 2. Установить обновленную версию (например, 5.42.2-RC1). 3. Проверить версию встроенного модуля Compress::Raw::Zlib (например, через perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION' или аналогичным способом). 4. Убедиться, что версия модуля соответствует 2.221 или выше. **Риски:** Полное раскрытие памяти (Heap Buffer Overflow) при обработке сжатых данных, что может привести к выполнению произвольного кода (RCE) на уровне ядра или процесса Perl, если уязвимый модуль вызывается в контексте обработки пользовательских данных. ### EN Critical vulnerability (CVSS 9.8) in the Compress::Raw::Zlib module bundled with perl version 5.42.0. The vulnerability stems from an outdated version of the zlib library used within the module. Immediately update the perl package to version 5.42.2-RC1 or later, where the Compress::Raw::Zlib module has been updated to version 2.221 and the vulnerability is fixed. **Recommended action:** `update_package` **Target version hint:** `5.42.2-RC1` **Tests:** 1. Check current perl package version via rpm -q perl. 2. Install the updated package (e.g., 5.42.2-RC1). 3. Verify the version of the bundled Compress::Raw::Zlib module (e.g., via perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION' or similar). 4. Ensure the module version is 2.221 or higher. **Risks:** Heap Buffer Overflow leading to arbitrary code execution (RCE) when processing compressed data. This can result in remote code execution if the vulnerable module is invoked in a context handling untrusted user data. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-4176 | CRITICAL | 9.8 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-4176 Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-4176" ], "fingerprint": "3fb1ea5240d0b6bd75c9", "generated_at": "2026-04-29T01:36:18Z", "package": "perl", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "5.42.0" } ```
sbelikov commented 2026-04-29 18:35:05 +03:00
Author
Owner
Copy link

Triage/update note for NiceOS 5.2:

perl 5.42.0-1 is reported as affected by CVE-2026-4176, which is related to Compress::Raw::Zlib and its bundled/vendored zlib copy.

NiceOS-specific build note:

The current NiceOS Perl spec builds with:

export BUILD_ZLIB=0
export BUILD_BZIP2=0

So this package is expected to build Compress::Raw::Zlib against the system zlib instead of the bundled zlib copy. This may mitigate the original vendored-zlib exposure, but it must be verified from the built package, not assumed from the spec alone.

Resolution plan:

  • Keep Perl within the NiceOS 5.2 stable series: 5.42.x.
  • Update target: perl 5.42.0 → 5.42.2.
  • Do not use 5.42.2-RC1; final stable 5.42.2 is available.
  • Do not jump to 5.43.x; cross-series Perl updates require toolchain/rebuild review.

Expected upstream security fix:

  • Perl 5.42.2 contains the upstream CVE-2026-4176 fix.
  • Compress::Raw::Zlib should be updated to the fixed series, expected 2.222.

Validation required before closing:

perl -v
perl -MCompress::Raw::Zlib -e 'print "CRZ=$Compress::Raw::Zlib::VERSION\n"; print "ZLIB=", Compress::Raw::Zlib::ZLIB_VERSION(), "\n"'
find /usr/lib/perl5 -path '*Compress*Raw*Zlib*Zlib.so' -print -exec ldd {} \;
rpm -q perl
rpm -q --whatprovides 'perl(Compress::Raw::Zlib)'

Closure condition:

Close as fixed only after rpms/perl, Core/perl, and niceos-package-index confirm perl 5.42.2-1, and the built Compress::Raw::Zlib module is verified to use the system libz.so or otherwise contains the fixed upstream module version.

Triage/update note for NiceOS 5.2: `perl 5.42.0-1` is reported as affected by `CVE-2026-4176`, which is related to `Compress::Raw::Zlib` and its bundled/vendored zlib copy. NiceOS-specific build note: The current NiceOS Perl spec builds with: ```spec export BUILD_ZLIB=0 export BUILD_BZIP2=0 ``` So this package is expected to build `Compress::Raw::Zlib` against the system zlib instead of the bundled zlib copy. This may mitigate the original vendored-zlib exposure, but it must be verified from the built package, not assumed from the spec alone. Resolution plan: * Keep Perl within the NiceOS 5.2 stable series: `5.42.x`. * Update target: `perl 5.42.0 → 5.42.2`. * Do not use `5.42.2-RC1`; final stable `5.42.2` is available. * Do not jump to `5.43.x`; cross-series Perl updates require toolchain/rebuild review. Expected upstream security fix: * Perl `5.42.2` contains the upstream `CVE-2026-4176` fix. * `Compress::Raw::Zlib` should be updated to the fixed series, expected `2.222`. Validation required before closing: ```bash perl -v perl -MCompress::Raw::Zlib -e 'print "CRZ=$Compress::Raw::Zlib::VERSION\n"; print "ZLIB=", Compress::Raw::Zlib::ZLIB_VERSION(), "\n"' find /usr/lib/perl5 -path '*Compress*Raw*Zlib*Zlib.so' -print -exec ldd {} \; rpm -q perl rpm -q --whatprovides 'perl(Compress::Raw::Zlib)' ``` Closure condition: Close as fixed only after `rpms/perl`, `Core/perl`, and `niceos-package-index` confirm `perl 5.42.2-1`, and the built `Compress::Raw::Zlib` module is verified to use the system `libz.so` or otherwise contains the fixed upstream module version.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
update-perl-5.42.2
No results found.
Labels
Clear labels   
cve
Created by niceos_cve_create_issues.py

  
llm-analysis
Created by niceos_cve_create_issues.py

  
needs-triage
Created by niceos_cve_create_issues.py

  
security
Created by niceos_cve_create_issues.py

  
severity-critical
Created by niceos_cve_create_issues.py

  
source-nvd
Created by niceos_cve_create_issues.py

No labels
cve
llm-analysis
needs-triage
security
severity-critical
source-nvd
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/perl#1
No description provided.