perl5225cdelta - what is new for cperl v5.22.5
This document describes perl-only differences between the cperl 5.22.4 release and the cperl 5.22.5 release.
For cperl also see Changes and perlcperl
@{ \327 \n } buffer overflowsFixed @{ \327 \n } tokenizer failures and heap buffer overflows in sv_vcatpvfn_flags() with wrong tracking of PL_linestr, the currently parsed line buffer. This can easily lead to security relevant exploits.
eval "q" . chr(overlarge) stack overflowIn eval "q" . chr(100000000064) generating the error message Can't find string terminator "XXX"' was overrunning a local buffer designed to hold a single utf8 char, since it wasn't allowing for the \0 at the end.
POSIX 2008 demands such an umask, but it is still problematic on Solaris, HP-UX and AIX and older libcs, e.g. glibc <= 2.06. The old umask 0177 was insecure.
E.g. <$fh\000> throws now the safe syscalls warning, and errors with Glob not terminated, and does not pass the illegal glob path to the internal or external glob.
See [cperl #342]
Fixed two security issues with the chroot op:
* fail on embedded NUL in the chroot argument. Set errno to EINVAL.
* If a call to chroot is not followed by a call to chdir("/") the chroot jail confinement can be violated. In Perl_pp_chroot: A call to chroot followed by an operation that may escape from the chroot jail. Coverity CID #165302 Insecure chroot.
'0' is a valid name for an archive, change 'iter' to check definedness. See https://metacpan.org/changes/distribution/Archive-Tar
Better CopFILE_set, Fixup arenasize refcnt. Delay cvref to init2, properly set a SvRV to a XS sub. Optimize constpv for CvFILE (less constants to merge for gcc). Improve NV precision by one digit. Fix to compile in utf8_heavy.pl, abstract and set %INC. Fix generation of @B::C::Config::deps on Windows. Fix !C99 precedence bug (e.g. MSVC). Minor refactor to simplify save_hek. Use the new get_svs, get_avs, get_hvs macros.
U32_MAX keys on 64bit. Better gperf and C++ support. Add --regen.
Update from upstream 2.16, plus keep our cperl and secure YAML:::XS support.
Merged with Parse::CPAN::Meta, cpan/Parse-CPAN-Meta is gone.
Update from upstream
Support filehandles for MM->parse_version.
Silence No library found errors on darwin for libSystem.dylib libs.
from latest cperl.
Merge 2.97000 from cpan with ours.
backported from latest cperl, TieHashDelta is now unused.
Without ' as pkg separator.
Added msys
Added all the man tests from upstream
3-arg open
Merge cpan 2.024 with our 2.021_02, plus fix some problems in their new code.
from cperl 5.27.3c
Fix and re-enable t/regression.t
More Darwin thread fixes for clock_gettime, Sierra support, test improvements.
Less runtime memory: demand-load Carp, Config
With the LYON concensus, affecting some tests with alpha versions. e.g. v1.1_0 does not warn anymore.
Fixed cperl.exe and cperl*.lib installation on windows.
t/porting/cmp_version.t was fixed together with EUMM to handle parsing versions from filehandles. Backported.
Changes which affect the interface available to XS code go here. Other significant internal changes for future core maintainers should be noted as well.
SvREADONLY_off(sv) is only usable as statement, not as expression anymore. It broke Sun C 5.12, in ByteLoader. See [cperl #183].
Out-of-bounds check elimination in loops has been fixed for lexical counters. E.g. with my @a=(0..4); for my $i (0..$#a) { $a[$i] } each access to $a[$i] in the loop is now really converted to the unchecked faster aelem_u op.
Note that multideref ops are not yet converted to omit out-of-bounds checks. This is only implemented since cperl-5.25, since it needs to widen the internal mderef structure.
When clearing a hv (with refcnt 0), HvKEYS crashed with an invalid mg on a placeholder. Just use HvTOTALKEYS instead.
Specifically in the S_space_join_names_mortal static function that several pp functions call. On some platforms (such as Gentoo Linux with torsocks), hent->h_aliases (where hent is a struct hostent *) may be null after a gethostent call.
Fixed return type of DynaLoader::dl_find_symbol_anywhere(), the address, not the name. [cperl #352].
cperl 5.22.5 represents approximately 17 months of development since cperl 5.22.4c and contains approximately 140,000 lines of changes across 880 files from 3 authors.
Excluding auto-generated files, documentation and release tools, there were approximately 54,000 lines of changes to 600 .pm, .t, .c and .h files.
The following people are known to have contributed the improvements that became cperl 5.22.5:
Reini Urban, Slaven Rezic, Father Chrysostomos.
The list above is almost certainly incomplete as it is automatically generated from version control history including the perl and cperl repos. In particular, it does not include the names of the (very much appreciated) contributors who reported issues to the Perl bug tracker and the cperl github issues.
Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community for helping Perl to flourish.
For a more complete list of all of Perl's historical contributors, please see the AUTHORS file in the Perl source distribution.
Generated with:
cperl Porting/acknowledgements.pl cperl-5.22.4..HEAD -cIf you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at https://rt.perl.org/ . There may also be information at http://www.perl.org/ , the Perl Home Page.
If you believe you have an unreported bug, please run the perlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to perlbug@perl.org to be analysed by the Perl porting team.
If you think it's a cperl specific bug or trust the cperl developers more please file an issue at https://github.com/perl11/cperl/issues.
If the bug you are reporting has security implications, which make it inappropriate to send to a publicly archived mailing list, then please send it to perl5-security-report@perl.org. This points to a closed subscription unarchived mailing list, which includes all the core committers, who will be able to help assess the impact of issues, figure out a resolution, and help co-ordinate the release of patches to mitigate or fix the problem across all platforms on which Perl is supported. Please only use this address for security issues in the Perl core, not for modules independently distributed on CPAN.
If you trust the cperl developers more, please send an email to them. The p5p security teams skips many security issues, or are unwilling to fix them.
The Changes file for an explanation of how to view exhaustive details on what changed.
The INSTALL file for how to build Perl.
The README file for general stuff.
The Artistic and Copying files for copyright information.