Source: libsereal-decoder-perl Version: 5.004+ds-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libsereal-decoder-perl. CVE-2026-8796[0]: | Sereal::Decoder versions before 5.005 for Perl allow heap out-of- | bounds read via crafted input. In Perl/Decoder/srl_decoder.c, | srl_read_object() and srl_read_hash() process a COPY tag, a back- | reference whose target byte the decoder re-decodes as a fresh tag. | When that target byte matches the SHORT_BINARY pattern (an inline | string whose length is encoded in the low bits of the tag), the | resulting read is not bounded to precede the COPY tag's own offset | and can run past the end of the input buffer. An attacker controlled | COPY offset can land inside a previously decoded value rather than | on a tag boundary, planting a byte that the decoder reads as a | SHORT_BINARY tag and consuming up to 31 following bytes from the | heap as a class name (OBJECT path) or hash key (HASH path). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-8796 https://www.cve.org/CVERecord?id=CVE-2026-8796 [1] https://lists.security.metacpan.org/cve-announce/msg/40571630/ [2] https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
