CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow

CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow Robert Rothenberg 21 Apr 2026 15:28 UTC

========================================================================
CVE-2017-20230                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2017-20230
   Distribution:  Storable
       Versions:  before 3.05

       MetaCPAN:  https://metacpan.org/dist/Storable
       VCS Repo:  https://github.com/Perl/perl5/

Storable versions before 3.05 for Perl has a stack overflow

Description
-----------
Storable versions before 3.05 for Perl has a stack overflow.

The retrieve_hook function stored the length of the class name into a
signed integer but in read operations treated the length as unsigned.
This allowed an attacker to craft data that could trigger the overflow.

Problem types
-------------
- CWE-121 Stack-based Buffer Overflow

Solutions
---------
Upgrade to Storable version 3.05 or newer.

References
----------
https://github.com/Perl/perl5/issues/15831
https://github.com/Perl/perl5/commit/a258c17c6937f79529c8319a829310e09cdbd216.patch
https://metacpan.org/release/RURBAN/Storable-3.05/changes
https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242533.html
https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242703.html

Timeline
--------
- 2017-01-24: Perl bug RT#30635 reported.
- 2017-01-25: Patch committed.
- 2017-01-29: Storable version 3.05 released.
- 2018-02-20: Perl v5.27.9 released with Storable 3.06.
- 2018-10-06: issue assigned CPANSA-Storable-2017-01 in the CPANSA
   distribution.