Paul Johnson

**Name of the Vulnerable Software and Affected Versions** GD for Perl versions prior to 2.86 **Description** The ` make filehandle()` function in `GD::Image` uses Perl's 2-arg `open()` to process filename arguments. This allows OS command injection and file overwrite if a filename begins or ends with a pipe (e.g., "| cmd", "cmd |") or begins with a redirect (e.g., "> path", ">> path"). This issue affects every filename-accepting constructor, including `new()`, `newFromPng()`, and `newFromJpeg()`. Callers forwarding untrusted input as a pathname can execute arbitrary commands or truncate files under the process UID. In-memory *Data variants are not affected. **Recommendations** Update to version 2.86 or later.

**Name of the Vulnerable Software and Affected Versions** HTML::Entities versions prior to 3.84 **Description** The XS routine supporting ` decode entities()` caches a pointer (`repl`) to the entity-value SV returned by `hv fetch` on the `entity2char` hash. If the input SV is identical to a value SV in that hash and that value contains its own key as an entity reference, a subsequent call to `grow gap()` reallocates the SV's PV buffer. This action frees the backing allocation that `repl` still points to, causing the following copy loop to read `repl len` bytes from the freed memory. This can lead to the disclosure of adjacent heap contents into the destination SV. **Recommendations** Update to version 3.84 or later.

**Name of the Vulnerable Software and Affected Versions** Cpanel::JSON::XS versions prior to 4.41 **Description** Type confusion occurs when `dupkeys as arrayref` is enabled, allowing duplicate object keys to cause a crash. The `decode hv()` function collapses duplicate keys into an array reference; however, it performs a dereference operation on `old value` before confirming it is actually a reference. If the existing value is a plain scalar, the system attempts to dereference a non-reference scalar using a pointer derived from attacker-controlled content. **Recommendations** Update to version 4.41 or later. As a temporary workaround, disable the `dupkeys as arrayref` option when decoding untrusted JSON.

**Name of the Vulnerable Software and Affected Versions** Cpanel::JSON::XS versions prior to 4.41 **Description** An issue exists where providing input prefixed with a UTF-8 Byte Order Mark (BOM) can lead to a denial of service. When the `decode json()` function processes a 3-byte UTF-8 BOM, it advances the input scalar's string pointer using `SvPV set()`. If the decoding process is aborted via a Perl exception—such as when a `filter json object` callback throws an error—the pointer is not restored. This leaves the scalar with a shortened length and a string pointer offset into its own buffer. Consequently, when the scalar is freed, the allocator receives an invalid pointer, causing the interpreter to abort and crash the caller. **Recommendations** Update to version 4.41 or later.

**Name of the Vulnerable Software and Affected Versions** Sereal::Decoder versions prior to 5.005 **Description** An issue exists where crafted input can lead to a heap out-of-bounds read. In the file Perl/Decoder/srl decoder.c, the functions `srl read object()` and `srl read hash()` process a COPY tag, which is a back-reference that the decoder re-decodes as a fresh tag. If the target byte matches the SHORT BINARY pattern (an inline string with length encoded in the low bits of the tag), the resulting read may not be bounded to precede the COPY tag's offset and can exceed the input buffer. An attacker can control the COPY offset to land inside a previously decoded value, planting a byte that the decoder interprets as a SHORT BINARY tag, allowing the consumption of up to 31 subsequent bytes from the heap as a hash key or class name. **Recommendations** Update to version 5.005 or later.