5.8.7/CPAN.pm line 514.
5.8.7/CPAN.pm line 547.

    checklock() exploitable via the lockfile name and the hostname and
    pid in the lock file.

5.8.7/CPAN.pm line 892.

    tidyup() exploitable by getting it to attempt to tidy up a
    directory named something bad.

5.8.7/ExtUtils/Command/MM.pm line 194.

    perllocal_install() both parameters are exploitable. This is very
    low risk, the function typically accepts just developer input on
    the command line.

5.8.7/ExtUtils/Constant/Base.pm line 483.
5.8.7/ExtUtils/Constant/Base.pm line 552.

    The internal function switch_clause() accepts some data that's
    exploitable. This is used when generating XS code from
    constants. I think it's very unlikely this is really exploitable
    in any meaningful way.

    You'd have to accept unsafe source code for this to be a problem.

5.8.7/i686-linux/Sys/Syslog.pm line 321.

    syslog() The second parameter is passed largely unchanged into
    sprintf().

5.8.7/Test/Harness.pm line 710.

    _dubious_return appears to interpolate some information which
    might come from tests its just run. I'm not sure if this accepts
    external data or not - I didn't trace it all the way through.

5.8.7/Hash/Util.pm line 85.

    lock_keys( @valid_keys ). If a hash is locked, a list of valid
    keys is passed, and the hash contains a key which is invalid under
    the rules, the invalid hash key is interpolated into the sprintf
    expression.

5.8.7/Locale/Maketext.pm line 85.

    Locale::Maketext::sprintf() is exploitable.

5.8.7/Tie/Handle.pm line 156.

    The default PRINTF function is  exploitable.

5.8.7/i686-linux/IO/Handle.pm line 405.

    The ->printf method is exploitable.

5.8.7/Benchmark.pm line 594.
5.8.7/Benchmark.pm line 596.
5.8.7/Benchmark.pm line 598.
5.8.7/Benchmark.pm line 600.

    The first and third arguments of timestr() are exploitable but
    this isn't going to ever accept user input so it isn't really
    exploitable.

5.8.7/Benchmark.pm line 946.

    The first argument of timeit() is exploitable if $Benchmark::Debug
    is true. Its unlikely that parameter is ever open to user input so
    it probably isn't exploitable.

5.8.7/File/Temp.pm line 686.

    _is_safe( X, _ ) is exploitable in the first argument which is a
    directory name. Perhaps this is called on a potential directory
    for containing the temp file. The attacker might name the
    directory using an exploitable name.

5.8.7/Unicode/UCD.pm line 218.

    The entity is looked up in UnicodeData.txt. The entry is
    interpolated. This function is exploitable if the source file can
    be edited.

5.8.7/Pod/Perldoc.pm line 399.

    The $0 variable is interpolated.

5.8.7/CPAN.pm line 2744.

    The apparently unused hosthardest() interpolates hostnames. This
    is probably safe.