CVE-2017-20230 PUBLISHED

Storable versions before 3.05 for Perl has a stack overflow

Assigner: CPANSec
Reserved: 28.03.2026 Published: 21.04.2026 Updated: 21.04.2026

Storable versions before 3.05 for Perl has a stack overflow.

The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data that could trigger the overflow.

Product Status

Vendor	NWCLARK
Product	Storable
Versions	Default: unaffected affected from 0 to 3.05 (excl.)

Solutions

Upgrade to Storable version 3.05 or newer.

References

https://github.com/Perl/perl5/issues/15831
https://github.com/Perl/perl5/commit/a258c17c6937f79529c8319a829310e09cdbd216.patch
https://metacpan.org/release/RURBAN/Storable-3.05/changes
https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242533.html
https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242703.html

Problem Types

CWE-121 Stack-based Buffer Overflow CWE