|
| 1 | +=encoding utf8 |
| 2 | + |
| 3 | +=head1 NAME |
| 4 | + |
| 5 | +perl5263delta - what is new for perl v5.26.3 |
| 6 | + |
| 7 | +=head1 DESCRIPTION |
| 8 | + |
| 9 | +This document describes differences between the 5.26.2 release and the 5.26.3 |
| 10 | +release. |
| 11 | + |
| 12 | +If you are upgrading from an earlier release such as 5.26.1, first read |
| 13 | +L<perl5262delta>, which describes differences between 5.26.1 and 5.26.2. |
| 14 | + |
| 15 | +=head1 Security |
| 16 | + |
| 17 | +=head2 [CVE-2018-12015] Directory traversal in module Archive::Tar |
| 18 | + |
| 19 | +By default, L<Archive::Tar> doesn't allow extracting files outside the current |
| 20 | +working directory. However, this secure extraction mode could be bypassed by |
| 21 | +putting a symlink and a regular file with the same name into the tar file. |
| 22 | + |
| 23 | +L<[perl #133250]|https://rt.perl.org/Ticket/Display.html?id=133250> |
| 24 | +L<[cpan #125523]|https://rt.cpan.org/Ticket/Display.html?id=125523> |
| 25 | + |
| 26 | +=head2 [CVE-2018-18311] Integer overflow leading to buffer overflow and segmentation fault |
| 27 | + |
| 28 | +Integer arithmetic in C<Perl_my_setenv()> could wrap when the combined length |
| 29 | +of the environment variable name and value exceeded around 0x7fffffff. This |
| 30 | +could lead to writing beyond the end of an allocated buffer with attacker |
| 31 | +supplied data. |
| 32 | + |
| 33 | +L<[perl #133204]|https://rt.perl.org/Ticket/Display.html?id=133204> |
| 34 | + |
| 35 | +=head2 [CVE-2018-18312] Heap-buffer-overflow write in S_regatom (regcomp.c) |
| 36 | + |
| 37 | +A crafted regular expression could cause heap-buffer-overflow write during |
| 38 | +compilation, potentially allowing arbitrary code execution. |
| 39 | + |
| 40 | +L<[perl #133423]|https://rt.perl.org/Ticket/Display.html?id=133423> |
| 41 | + |
| 42 | +=head2 [CVE-2018-18313] Heap-buffer-overflow read in S_grok_bslash_N (regcomp.c) |
| 43 | + |
| 44 | +A crafted regular expression could cause heap-buffer-overflow read during |
| 45 | +compilation, potentially leading to sensitive information being leaked. |
| 46 | + |
| 47 | +L<[perl #133192]|https://rt.perl.org/Ticket/Display.html?id=133192> |
| 48 | + |
| 49 | +=head2 [CVE-2018-18314] Heap-buffer-overflow write in S_regatom (regcomp.c) |
| 50 | + |
| 51 | +A crafted regular expression could cause heap-buffer-overflow write during |
| 52 | +compilation, potentially allowing arbitrary code execution. |
| 53 | + |
| 54 | +L<[perl #131649]|https://rt.perl.org/Ticket/Display.html?id=131649> |
| 55 | + |
| 56 | +=head1 Incompatible Changes |
| 57 | + |
| 58 | +There are no changes intentionally incompatible with 5.26.2. If any exist, |
| 59 | +they are bugs, and we request that you submit a report. See |
| 60 | +L</Reporting Bugs> below. |
| 61 | + |
| 62 | +=head1 Modules and Pragmata |
| 63 | + |
| 64 | +=head2 Updated Modules and Pragmata |
| 65 | + |
| 66 | +=over 4 |
| 67 | + |
| 68 | +=item * |
| 69 | + |
| 70 | +L<Archive::Tar> has been upgraded from version 2.24 to 2.24_01. |
| 71 | + |
| 72 | +=item * |
| 73 | + |
| 74 | +L<Module::CoreList> has been upgraded from version 5.20180414_26 to 5.20181129_26. |
| 75 | + |
| 76 | +=back |
| 77 | + |
| 78 | +=head1 Diagnostics |
| 79 | + |
| 80 | +The following additions or changes have been made to diagnostic output, |
| 81 | +including warnings and fatal error messages. For the complete list of |
| 82 | +diagnostic messages, see L<perldiag>. |
| 83 | + |
| 84 | +=head2 New Diagnostics |
| 85 | + |
| 86 | +=head3 New Errors |
| 87 | + |
| 88 | +=over 4 |
| 89 | + |
| 90 | +=item * |
| 91 | + |
| 92 | +L<Unexpected ']' with no following ')' in (?[... in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Unexpected ']' with no following ')' in (?[... in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> |
| 93 | + |
| 94 | +(F) While parsing an extended character class a ']' character was encountered |
| 95 | +at a point in the definition where the only legal use of ']' is to close the |
| 96 | +character class definition as part of a '])', you may have forgotten the close |
| 97 | +paren, or otherwise confused the parser. |
| 98 | + |
| 99 | +=item * |
| 100 | + |
| 101 | +L<Expecting close paren for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Expecting close paren for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> |
| 102 | + |
| 103 | +(F) While parsing a nested extended character class like: |
| 104 | + |
| 105 | + (?[ ... (?flags:(?[ ... ])) ... ]) |
| 106 | + ^ |
| 107 | + |
| 108 | +we expected to see a close paren ')' (marked by ^) but did not. |
| 109 | + |
| 110 | +=item * |
| 111 | + |
| 112 | +L<Expecting close paren for wrapper for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Expecting close paren for wrapper for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> |
| 113 | + |
| 114 | +(F) While parsing a nested extended character class like: |
| 115 | + |
| 116 | + (?[ ... (?flags:(?[ ... ])) ... ]) |
| 117 | + ^ |
| 118 | + |
| 119 | +we expected to see a close paren ')' (marked by ^) but did not. |
| 120 | + |
| 121 | +=back |
| 122 | + |
| 123 | +=head2 Changes to Existing Diagnostics |
| 124 | + |
| 125 | +=over 4 |
| 126 | + |
| 127 | +=item * |
| 128 | + |
| 129 | +L<Syntax error in (?[...]) in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Syntax error in (?[...]) in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> |
| 130 | + |
| 131 | +This fatal error message has been slightly expanded (from "Syntax error in |
| 132 | +(?[...]) in regex mE<sol>%sE<sol>") for greater clarity. |
| 133 | + |
| 134 | +=back |
| 135 | + |
| 136 | +=head1 Acknowledgements |
| 137 | + |
| 138 | +Perl 5.26.3 represents approximately 8 months of development since Perl 5.26.2 |
| 139 | +and contains approximately 4,500 lines of changes across 51 files from 15 |
| 140 | +authors. |
| 141 | + |
| 142 | +Excluding auto-generated files, documentation and release tools, there were |
| 143 | +approximately 770 lines of changes to 10 .pm, .t, .c and .h files. |
| 144 | + |
| 145 | +Perl continues to flourish into its third decade thanks to a vibrant community |
| 146 | +of users and developers. The following people are known to have contributed |
| 147 | +the improvements that became Perl 5.26.3: |
| 148 | + |
| 149 | +Aaron Crane, Abigail, Chris 'BinGOs' Williams, Dagfinn Ilmari Mannsåker, David |
| 150 | +Mitchell, H.Merijn Brand, James E Keenan, John SJ Anderson, Karen Etheridge, |
| 151 | +Karl Williamson, Sawyer X, Steve Hay, Todd Rinaldo, Tony Cook, Yves Orton. |
| 152 | + |
| 153 | +The list above is almost certainly incomplete as it is automatically generated |
| 154 | +from version control history. In particular, it does not include the names of |
| 155 | +the (very much appreciated) contributors who reported issues to the Perl bug |
| 156 | +tracker. |
| 157 | + |
| 158 | +Many of the changes included in this version originated in the CPAN modules |
| 159 | +included in Perl's core. We're grateful to the entire CPAN community for |
| 160 | +helping Perl to flourish. |
| 161 | + |
| 162 | +For a more complete list of all of Perl's historical contributors, please see |
| 163 | +the F<AUTHORS> file in the Perl source distribution. |
| 164 | + |
| 165 | +=head1 Reporting Bugs |
| 166 | + |
| 167 | +If you find what you think is a bug, you might check the perl bug database |
| 168 | +at L<https://rt.perl.org/> . There may also be information at |
| 169 | +L<http://www.perl.org/> , the Perl Home Page. |
| 170 | + |
| 171 | +If you believe you have an unreported bug, please run the L<perlbug> program |
| 172 | +included with your release. Be sure to trim your bug down to a tiny but |
| 173 | +sufficient test case. Your bug report, along with the output of C<perl -V>, |
| 174 | +will be sent off to perlbug@perl.org to be analysed by the Perl porting team. |
| 175 | + |
| 176 | +If the bug you are reporting has security implications which make it |
| 177 | +inappropriate to send to a publicly archived mailing list, then see |
| 178 | +L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION> |
| 179 | +for details of how to report the issue. |
| 180 | + |
| 181 | +=head1 Give Thanks |
| 182 | + |
| 183 | +If you wish to thank the Perl 5 Porters for the work we had done in Perl 5, |
| 184 | +you can do so by running the C<perlthanks> program: |
| 185 | + |
| 186 | + perlthanks |
| 187 | + |
| 188 | +This will send an email to the Perl 5 Porters list with your show of thanks. |
| 189 | + |
| 190 | +=head1 SEE ALSO |
| 191 | + |
| 192 | +The F<Changes> file for an explanation of how to view exhaustive details on |
| 193 | +what changed. |
| 194 | + |
| 195 | +The F<INSTALL> file for how to build Perl. |
| 196 | + |
| 197 | +The F<README> file for general stuff. |
| 198 | + |
| 199 | +The F<Artistic> and F<Copying> files for copyright information. |
| 200 | + |
| 201 | +=cut |
0 commit comments