Skip to content
This repository has been archived by the owner on Jun 1, 2023. It is now read-only.

Latest commit

 

History

History
171 lines (109 loc) · 5.28 KB

perlcdelta.pod

File metadata and controls

171 lines (109 loc) · 5.28 KB
Raw

NAME

perlcdelta - what is new for cperl v5.28.2

DESCRIPTION

This document describes the differences between the cperl 5.28.1 and the cperl 5.28.2 release.

If you are upgrading from an earlier release such as v5.26.0c, first read the perl526*cdelta documentation, which describes differences between v5.26.0c and v5.26.3c

Security

[CVE-2018-18311] Integer overflow leading to buffer overflow and segmentation fault

Integer arithmetic in Perl_my_setenv() could wrap when the combined length of the environment variable name and value exceeded around 0x7fffffff. This could lead to writing beyond the end of an allocated buffer with attacker supplied data.

[perl #133204]

Restrict my_setenv to ARG_MAX

perl5 fixed Perl_my_setenv() by allowing %ENV sizes larger than ARG_MAX (typically 128Kb), up to 2GB. This is considered a security risk. It writes onto the kernel stack, even if often caught by MAXEXECARGS "Argument list too long" kernel errors on the next exec call. cperl disallows %ENV larger than the sysconf(_SC_ARG_MAX)/MAX_ARG_STRLEN/ ARG_MAX/NCARGS size with a new "Environment size %d larger than the allowed %d" in perldiag error.

[cperl #329]. cperl-only.

[CVE-2018-18312] Heap-buffer-overflow write in S_regatom (regcomp.c)

A crafted regular expression could cause heap-buffer-overflow write during compilation, potentially allowing arbitrary code execution.

[perl #133423]

Modules and Pragmata

Updated Modules and Pragmata

Cpanel::JSON::XS 4.09

Silence Gconvert -Wunused-result.

Add unblessed_bool property (PR #118 by Pali)

Add seperate allow_dupkeys property, in relaxed (#122), Fixed allow_dupkeys for the XS slow path, Silence 2 -Wunused-value warnings, Fix ->unblessed_bool to produce modifiable perl structures (PR #121 by Pali).

ExtUtils::MakeMaker 8.35_08

Added -flto support for static libs (need the lto plugin) and D for deterministic builds, using arflags for AR_STATIC_ARGS, not just 'cr'.

fix FULLPERL for win32 cperl. cperl-only.

Storable 1.12_04

Fix stacklimit security issues introduced in the p5p release [cperl #393]. User limits must not be higher than the probed hard limits, when overridden by user code or data, via hooks or even pst data. cperl-only.

Testing

Selected Bug Fixes

  • Perl 5.28 introduced an index() optimization when comparing to -1 (or indirectly, e.g. >= 0). When this optimization was triggered inside a when clause it caused a warning ("Argument %s isn't numeric in smart match"). This has now been fixed. [perl #133368]

  • Matching of decimal digits in script runs, introduced in Perl 5.28, had a bug that led to "1\N{THAI DIGIT FIVE}" matching /^(*sr:\d+)$/ when it should not. This has now been fixed.

  • The new in-place editing code no longer leaks directory handles. [perl #133314]

Acknowledgements

cperl 5.28.2 represents approximately 5 months of development since cperl 5.28.1c and contains approximately 4,100 lines of changes across 80 files from 3 authors.

Excluding auto-generated files, documentation and release tools, there were approximately 1,100 lines of changes to 24 .pm, .t, .c and .h files.

The following people are known to have contributed the improvements that became cperl 5.28.2:

Reini Urban, David Mitchell, Karl Williamson.

Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community for helping Perl to flourish.

For a more complete list of all of Perl's historical contributors, please see the AUTHORS file in the Perl source distribution.

Generated with:

cperl Porting/acknowledgements.pl cperl-5.28.1..HEAD -c

Reporting Bugs

If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at https://rt.perl.org/ . There may also be information at http://www.perl.org/ , the Perl Home Page.

If you believe you have an unreported bug, please run the cperlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to [email protected] to be analysed by the Perl porting team.

If you think it's a cperl specific bug or trust the cperl developers more please file an issue at https://github.com/perl11/cperl/issues.

If the bug you are reporting has security implications which make it inappropriate to send to a publicly archived mailing list, then see "SECURITY VULNERABILITY CONTACT INFORMATION" in perlsec For details of how to report the issue.

SEE ALSO

The Changes file for an explanation of how to view exhaustive details on what changed.

The INSTALL file for how to build Perl.

The README file for general stuff.

The Artistic and Copying files for copyright information.