Re-creating CVE-2024-56406 using docker container with affected Perl versions.
Please check out the link below for more information.
https://theweeklychallenge.org/blog/cve-2024-56406

Many thanx to Shawn Laffan for testing this version on Strawberry Perl.
I test it on my Debian machine first of course.
It took Shawn and myself a number of attempts to make all the test pass under the 2 types of OSes.

Over the past year, I’ve been self-studying XS and have now decided to share my learning journey through a series of blog posts. This second post introduces the fundamentals of type checking variables in XS.

This extended meeting took place between the three of us in person over several days at the PTS 2025 in the beautiful city of Leipzig.

Perl Toolchain Summit 2025, my first time, thanks to the organisers.
Here is my event report: https://theweeklychallenge.org/blog/pts-2025

What's new?

• The BoolLike type constraint accepts boolean.pm booleans.
• Type::Params offers some improvements for DWIM named parameter processing.
• More shortcuts are provided for exporting parameterized versions of type constraints.

I started using DEV at the suggestion of Perl Weekly, and I was quite pleased with it - until I discovered that links to dev.to are effectively "shadowbanned" on several major platforms (Reddit, Hacker News, etc.). Posts containing DEV URLs would simply not be shown to users, making it impossible to share content effectively.

To work around this, I thought I would need a way to publish my DEV articles on my own domain so I could freely share them. There are some DEV tutorials out there that explain how to consume the API using frontend frameworks like React, however I don't enjoy frontend at all and I did not want to spend much time on that.

My solution was to get a simple Perl script that builds static versions of the articles, along with an index page. A Perl 5 script will run anywhere, including an old shared linux hosting account I still keep on IONOS, and I really like the speed of static sites.

Now that we have set up our mbtiny configuration in the previous post, we can actually use it.

Minting a new distribution

Minting a distribution is trivial once you’ve completed the setup. It’s typically just a matter of calling mbtiny mint Foo::Bar. If needed you can override the global configuration at minting time (e.g.  mbtiny mint Foo::Bar --license BSD).

Converting an existing distribution

You can also convert an existing distribution to App::ModuleBuildTiny. In most cases that requires just two things:

Find out all about CVE and how we deal with it in Perl.
Please checkout the post for more information:
https://theweeklychallenge.org/blog/cve-in-perl

The three of us attended.

• Preparations for the point release are now in full swing.
• In relation to that, we ran into infrastructure permissions discrepancies that have cropped up due to an absence of onboarding/offboarding procedures. We need to address both the immediate and long-term issues here.
• We started winnowing this release cycle’s issues for potential release blockers. Out of about 95 issues, we have so far reviewed half, of which we identified 8 of interest. Additionally there are 72 pull requests to review.

[P5P posting of this summary]

Years ago I wrote about a concise fork idiom. It turns out that it’s possible to do better than everything I discussed in that entry as well as the proposals in the comments.

I didn’t at the time appreciate a clever aspect of variable scoping in Perl:

use strict;
sub get_answer { 0 }
if ( my $answer = get_answer ) {
    ...;
} else {
    print $answer;
}

App::ModuleBuildTiny is a relatively new authoring tool. It aims to be a relatively lightweight (at least to some other tools like Dist::Zilla) and newbie friendly tool. It supports two install tools: Module::Build::Tiny (obviously what it was originally designed for) and Dist::Build; it does not support ExtUtils::MakeMaker or Module::Build.

An introduction to newbie in Perl.
Please checkout the post for more information:
https://theweeklychallenge.org/blog/welcome-to-perl

All three were present.

• We went over developments on the point release front. Things are now finally moving, if slowly.
• We discussed some internal quality-of-life improvements to the PSC meeting workflow.
• We briefly reflected on our work as the PSC given our various personal circumstances this year.
• We discussed PPC 0027 (any/all), prompted by the Mojolicious::Lite DSL question. We went over its status, how the work got merged, and current issues with the design. We confirmed an already possible technical solution to the Mojolicious issue and agreed that it satisfies us for now, but we still intend to pick up the further issues at a later time.

[P5P posting of this summary]

(apologies for "promoting"(?) Perl obfuscation...)

Today I won a gift card at an in-office meeting with the following code. Challenge: print the numbers 1-100 in the most incomprehensible, inefficient way. My entry, edited for brevity:

#!/usr/bin/env perl
use v5.16;
splice @_, @_, -1, ++$_;
splice @_, @_, -1, ++$_;
splice @_, @_, -1, ++$_;
splice @_, @_, -1, ++$_;
splice @_, @_, -1, ++$_;
# plus 95 more of this
say join $/, @_;

Thinking about it more this evening, I came up with

$SIG {__DIE__} = sub { $_ = (pop)+0; chomp; $_%6?say:exit};
{ select undef,undef,undef,1; eval { die time-$^T }; redo; }

(where 6 instead of 101 so I don't have to wait 100 seconds (and to be honest I'm not sure if there'll be rounding errors)).

Wonder if any obfuscators could come up with better (the less inefficient, incomprehensible the better).

I wrote very elliptically about this warning and received some helpful comments with the standard advice about how to proceed when encountering it. Except unfortunately that advice will be of no use when you encounter this warning.

Namely I should have been less cute about it and made it clear that I was specifically talking about a warning about a wide character “in substitution”. How can a s/// even possibly trigger a wide character warning, you ask? Beats me, to be entirely honest, even now, but: if you have a use locale somewhere, it turns out that it can. Because defeating that is what fixed the warning I was getting:

Have you used CPAN module MCE for parallel processing?

If not then you should checkout this post for introduction.

https://theweeklychallenge.org/blog/mce-how-to

We didn’t have a meeting last week. This week, everyone was here.

• We briefly talked about builtin. We think a numify function is quite necessary.
• We started reviewing release blockers for v5.42.

[P5P posting of this summary]

Control. That’s what we all desire and very rarely acquire. The natural restlessness that occurs when you watch one of your offspring flicking from one movie title to the next, barely glancing at the summary before rejecting it, is one of the reasons I don’t like family movie night. My daughter’s grip on the remote is as strong as her decision making skills are weak; I struggle silently to hold back any outburst that would expose my failing parenting abilities once again. I have to distract myself with thoughts of the good old days when the TV had only 4 channels and Teletext was the closest thing to internet. Desiring such regression is now getting much of a habit for me. But we change what we can, accept what we can’t and trust, often foolishly, that those blessed with control do the best for all of us. Ah, look. Another teen fantasy horror romance movie. Thanks a heap, Netflix.

Herewith V 1.24

Cheers