perl-IO-Compress-2.081-2.el8_10

エラータID: AXSA:2026-1105:01

Release date: 
Tuesday, June 30, 2026 - 17:48
Subject: 
perl-IO-Compress-2.081-2.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

This distribution provides a Perl interface to allow reading and writing of compressed data created with the zlib and bzip2 libraries. IO-Compress supports reading and writing of bzip2, RFC 1950, RFC 1951, RFC 1952 (i.e. gzip) and zip files/buffers. The following modules used to be distributed separately, but are now included with the IO-Compress distribution:

* Compress-Zlib
* IO-Compress-Zlib
* IO-Compress-Bzip2
* IO-Compress-Base

Security Fix(es):

* perl-IO-Compress: perl-IO-Compress: Arbitrary code execution via attacker-controlled output glob (CVE-2026-48962)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-48962
IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. perl-IO-Compress-2.081-2.el8_10.src.rpm
    MD5: 4e1ba127eaf45bef5da38cac601293ff
    SHA-256: 22f4ccaccea273366baa6051808303054474868875dfea216b61351f90517b6a
    Size: 264.90 kB

Asianux Server 8 for x86_64
  1. perl-IO-Compress-2.081-2.el8_10.noarch.rpm
    MD5: e65b68986729becf90dbd99b17a6b911
    SHA-256: 094dde288c4a0e31366445865012aba57112216e08fb4ed2898d8e78e2d0152c
    Size: 257.46 kB