Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.

• https://github.com/advisories/GHSA-w77f-wv46-4vcx
• https://www.cve.org/CVERecord?id=CVE-2019-11922
• https://metacpan.org/release/YVES/Sereal-Decoder-4.010/changes

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

• https://github.com/facebook/zstd/issues/2491
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
• https://www.facebook.com/security/advisories/cve-2021-24032

In Miniz 2.0.7, tinfl_decompress in miniz_tinfl.c has an infinite loop because sym2 and counter can both remain equal to zero.

• https://github.com/richgel999/miniz/issues/90