CVE-2020-36846: IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library
Timothy Legge 30 May 2025 00:52 UTC
========================================================================
CVE-2020-36846 CPAN Security Group
========================================================================
CVE ID: CVE-2020-36846
Distribution: IO-Compress-Brotli
Versions: before 0.007
MetaCPAN: https://metacpan.org/dist/IO-Compress-Brotli
VCS Repo: https://github.com/timlegge/perl-IO-Compress-Brotli
IO::Compress::Brotli versions prior to 0.007 for Perl have an integer
overflow in the bundled Brotli C library
Description
-----------
A buffer overflow, as described in CVE-2020-8927, exists in the
embedded Brotli library. Versions of IO::Compress::Brotli prior to
0.007 included a version of the brotli library prior to version 1.0.8,
where an attacker controlling the input length of a "one-shot"
decompression request to a script can trigger a crash, which happens
when copying over chunks of data larger than 2 GiB. It is recommended
to update your IO::Compress::Brotli module to 0.007 or later. If one
cannot update, we recommend to use the "streaming" API as opposed to
the "one-shot" API, and impose chunk size limits.
Problem types
-------------
CWE-1395 Dependency on Vulnerable Third-Party Component
References
----------
https://github.com/google/brotli/pull/826
https://github.com/advisories/GHSA-5v8v-66v8-mwm7
https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52
https://nvd.nist.gov/vuln/detail/CVE-2020-8927
https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6
Credits
-------
Robert Rothenberg (RRWO), reporter
