Your message dated Wed, 27 May 2026 18:05:46 +0000
with message-id <[email protected]>
and subject line Bug#1138052: fixed in libio-compress-perl 2.220-1
has caused the Debian Bug report #1138052,
regarding libio-compress-perl: CVE-2026-48961
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138052
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libio-compress-perl
Version: 2.219-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libio-compress-perl.
CVE-2026-48961[0]:
| IO::Compress versions from 2.207 before 2.220 for Perl ship a
| zipdetails CLI tool that crashes with undefined subroutine on Info-
| ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in
| bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875)
| with UID Size or GID Size set to 8, causing zipdetails to decode an
| 8-byte UID or GID value, it dispatches through decodeLitteEndian(),
| which calls a misnamed helper unpackValueQ. The actual function
| defined in the same file is unpackValue_Q (with underscore); the
| call raises 'Undefined subroutine &main::unpackValueQ' and the
| script exits with status 255. Library callers of IO::Compress and
| IO::Uncompress are not affected; the defect is in the bundled CLI
| tool.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-48961
https://www.cve.org/CVERecord?id=CVE-2026-48961
[1] https://lists.security.metacpan.org/cve-announce/msg/40434383/
[2]
https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libio-compress-perl
Source-Version: 2.220-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libio-compress-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libio-compress-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 May 2026 19:42:45 +0200
Source: libio-compress-perl
Architecture: source
Version: 2.220-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1138051 1138052 1138055
Changes:
libio-compress-perl (2.220-1) unstable; urgency=medium
.
* Import upstream version 2.220.
Fix CVE-2026-48959, CVE-2026-48961, CVE-2026-48962.
Closes: #1138051, #1138052, #1138055.
* Declare compliance with Debian Policy 4.7.4.
* Drop lintian overrides for removed tags.
Checksums-Sha1:
d93c87c3fca6cdae5f36513f7ff63fa049495945 2605 libio-compress-perl_2.220-1.dsc
4b92aac7e1733d7ddcc1fda64e633acaa2c453d8 335845
libio-compress-perl_2.220.orig.tar.gz
ff17095e422d0c4a441f0fd3b031d05f000e8509 7156
libio-compress-perl_2.220-1.debian.tar.xz
Checksums-Sha256:
418a4a06f3bc1ab60076d4557738952d8b36cd31fc69cf1ab1eb7b3fda5739a5 2605
libio-compress-perl_2.220-1.dsc
9d96ea291f2c54ef367c7396b857d93ba1ac1c4b2f1bce13ed8a3e5f3eebb627 335845
libio-compress-perl_2.220.orig.tar.gz
61c3773dfae68a7ac4c250303dba1c493906b966351d4b0bc9a1a0b27ebbb897 7156
libio-compress-perl_2.220-1.debian.tar.xz
Files:
c4b90d45ad2f9cd3a34115394cb97517 2605 perl optional
libio-compress-perl_2.220-1.dsc
1cc0e0a272f7f7342f209bf154f4e1a6 335845 perl optional
libio-compress-perl_2.220.orig.tar.gz
46c4dc2f0ec711b84a5e39c1770e0b27 7156 perl optional
libio-compress-perl_2.220-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoXLehfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbj4g//anlWtdKYGSb7hhq5ax4pnnyh2wl9I7jey/TLK19smkv0vkZZtmdOqJ/u
P2cjZBY5Mi71TKyKgEfGPjZeA9ofi3cuzf+u2wVBwkSjbtdLiywZ4OdKa8CXOzYk
uh7HEUhaGbWjzNWAxJf28ijPkZB9LQ2j93kJ9RIUiixv5vQdx58dzmbgY1mYQd8O
//p6U7gUHzv8/B7xAImOWeAhA2J7QL+hcTVdNJlrJGqck9YixC10BBSTJaytnHiq
jcb2AUBOrOuiW2+AJHONeC/J07gUjLENiLQpf9OVpFysjTopKCema1eb80HgRtBz
dPHAuYDEH19p5eRPGp80fsOLpfahPpbzO2bIOVm+fOZD6U/DyntANtDkKRc8YobK
kpWxzfRWVM0UAOfTwdAkILR27VxA+cqyS0Lkt029rmZ3DPRFdnEENd+7t3WMnWtl
YaDcrP51+6LTeXwnV4n8lSqDuXGJNKYFxR23oUpoyeEjZpFmiIMMCdZwyBPXOMsq
0Vej9BbCisMI+8/OW7t5FZR5k0lys6HoDZFA19wpOlH93mejQ9S7+T7HTIGA9RgN
Lz9LwFLdSW/EcqTCxuAXHnz+WEvCuNmIPAGNETZWY0Dw41KFudm5e4zSZE6ysiZ+
D859C+9jJWsx6uSSBsurPpu2w7KGNbG25grFfmV6/YPF5E6Jhxw=
=y+Af
-----END PGP SIGNATURE-----
pgpew7sjk1eXd.pgp
Description: PGP signature
--- End Message ---
