Your message dated Tue, 05 May 2026 14:33:45 +0000
with message-id <[email protected]>
and subject line Bug#1135232: fixed in libtext-csv-xs-perl 1.62-1
has caused the Debian Bug report #1135232,
regarding libtext-csv-xs-perl: CVE-2026-7111
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135232: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135232
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libtext-csv-xs-perl
Version: 1.61-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/cpan-authors/Text-CSV_XS/issues/65
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libtext-csv-xs-perl.
CVE-2026-7111[0]:
| Text::CSV_XS versions before 1.62 for Perl have a use-after-free
| when registered callbacks extend the Perl argument stack, which may
| enable type confusion or memory corruption. The Parse, print,
| getline, and getline_all methods invoke registered callbacks (for
| example after_parse, before_print, or on_error) and cache the Perl
| argument stack pointer across the call. If a callback extends the
| argument stack enough to trigger a reallocation, the return value is
| written through the stale pointer into the freed buffer, and the
| caller reads the original $self argument as the return value
| instead. Calling code that expects parsed data from getline_all
| receives the Text::CSV_XS object in its place, leading to logic
| errors or crashes. Text::CSV_XS objects used without any registered
| callbacks are not affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-7111
https://www.cve.org/CVERecord?id=CVE-2026-7111
[1] https://github.com/cpan-authors/Text-CSV_XS/issues/65
[2] https://lists.security.metacpan.org/cve-announce/msg/39453344/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libtext-csv-xs-perl
Source-Version: 1.62-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libtext-csv-xs-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libtext-csv-xs-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 15:52:28 +0200
Source: libtext-csv-xs-perl
Architecture: source
Version: 1.62-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1135232
Changes:
libtext-csv-xs-perl (1.62-1) unstable; urgency=medium
.
* Import upstream version 1.62.
+ Fix possible stack corruption: Fixes CVE-2026-7111.
Closes: #1135232
* Update years of upstream and packaging copyright.
* Bump versioned dependency on libencode-perl.
* Declare compliance with Debian Policy 4.7.4.
Checksums-Sha1:
6cd05f6da4f552886ab9ca25f5bc0168da3066a9 2613 libtext-csv-xs-perl_1.62-1.dsc
28a36d8e7fa11c18accb81036797fcc6c7fb73cd 286929
libtext-csv-xs-perl_1.62.orig.tar.gz
623ec61a91e371712ff9b044f8c401c100105f7c 8464
libtext-csv-xs-perl_1.62-1.debian.tar.xz
Checksums-Sha256:
8d0e6d34c0fb5a47810462507291da85f284a108bf89842981ac1708ab3b1b71 2613
libtext-csv-xs-perl_1.62-1.dsc
1710693eddaefdd56e74da42baa9ed676e7eaed28ebd303ad23c982fef2b1415 286929
libtext-csv-xs-perl_1.62.orig.tar.gz
07f8759b494aec5bb613c8f62e2942a52979b3c2c14af455274f2307587145e0 8464
libtext-csv-xs-perl_1.62-1.debian.tar.xz
Files:
b84030e6c36425549d055138343918c0 2613 perl optional
libtext-csv-xs-perl_1.62-1.dsc
d7a3748a5dca671e3ee3f874456993ae 286929 perl optional
libtext-csv-xs-perl_1.62.orig.tar.gz
ab1decbd818b3c29eaf72aa5c000537b 8464 perl optional
libtext-csv-xs-perl_1.62-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmn59wJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYqig//VuACWCN+rvFZ1x0EBWj286bBiIwhXidPO+GsqWkmamFEbqpjv0Y6dNzL
SN/13GWIyigF4shsal0VgXJTJGrTXQgOd1Faup2Xb0eij35KapweRqb4aDA+eVpp
Dbq2seBSkAEOhGiHtKUMcGFG0I2FESNxn+l3ZKtSibBsb47smVnHGvV5abjl5eIG
7qPl2qgJ1+XbfkS16/ksbm/gajNNFtYCPjyeeXWFglewL9zY/j8lkW9I4KdLKeRX
bR5mYXJFH70ukjYrMTz7C6cQyW2fj3owtiDX4rZtY15L2yzY/R3N4ygLy/PgD85U
qvL20cAS/cRvJ39VOSTUTea1ddqeCn4svyvJITQubN4MTph44hHpV5q9gCizthL9
jt7RVzyMobvLoyDk1xs2MbWWX05o5BhXxQuSypqJ2CGJ2Qcr1VU3ExIkx79DG88L
facbnuoWFPV6uXdMdIphm+A6sf3QbaNXTRMawyw1TGe3HajNuxB8MnoMPCfSwRF4
FhtTRnsgHik3mS7vunImczfuxNiCFYX29T/x+XMJi2P2wu0WFlvyyBE+MM9c9wJM
xZ/N+RtKn7Q9ZBCb75aWLNEdTlPLnMW9/AswJID3kMk+1U4umPmsYLD590y+EbJC
DasZdSinv8RAC24EIZq3EodUPyhKj0nBQy1xI8DfBmFiShQVML8=
=3XUm
-----END PGP SIGNATURE-----
pgpsIdO9NnnT1.pgp
Description: PGP signature
--- End Message ---
