CVE-2025-15649

NameCVE-2025-15649
DescriptionIO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138863

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libio-compress-perl (PTS)bullseye2.101-1vulnerable
bookworm2.204-1vulnerable
trixie2.213-1vulnerable
forky, sid2.220-1fixed
perl (PTS)bullseye5.32.1-4+deb11u3vulnerable
bullseye (security)5.32.1-4+deb11u5vulnerable
bookworm5.36.0-7+deb12u3vulnerable
bookworm (security)5.36.0-7+deb12u2vulnerable
trixie5.40.1-6vulnerable
forky, sid5.40.1-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libio-compress-perlsource(unstable)2.217-1
perlsource(unstable)5.40.1-81138863

Notes

https://lists.security.metacpan.org/cve-announce/msg/40434380/
https://github.com/pmqs/IO-Compress/issues/65
Fixed by: https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8 (v2.215)
Search for package or bug name: Reporting problems