diff options
Diffstat (limited to 'pod/perl5263delta.pod')
| -rw-r--r-- | pod/perl5263delta.pod | 201 |
1 files changed, 201 insertions, 0 deletions
diff --git a/pod/perl5263delta.pod b/pod/perl5263delta.pod new file mode 100644 index 0000000000..43ec1f45a6 --- /dev/null +++ b/pod/perl5263delta.pod @@ -0,0 +1,201 @@ +=encoding utf8 + +=head1 NAME + +perl5263delta - what is new for perl v5.26.3 + +=head1 DESCRIPTION + +This document describes differences between the 5.26.2 release and the 5.26.3 +release. + +If you are upgrading from an earlier release such as 5.26.1, first read +L<perl5262delta>, which describes differences between 5.26.1 and 5.26.2. + +=head1 Security + +=head2 [CVE-2018-12015] Directory traversal in module Archive::Tar + +By default, L<Archive::Tar> doesn't allow extracting files outside the current +working directory. However, this secure extraction mode could be bypassed by +putting a symlink and a regular file with the same name into the tar file. + +L<[perl #133250]|https://rt.perl.org/Ticket/Display.html?id=133250> +L<[cpan #125523]|https://rt.cpan.org/Ticket/Display.html?id=125523> + +=head2 [CVE-2018-18311] Integer overflow leading to buffer overflow and segmentation fault + +Integer arithmetic in C<Perl_my_setenv()> could wrap when the combined length +of the environment variable name and value exceeded around 0x7fffffff. This +could lead to writing beyond the end of an allocated buffer with attacker +supplied data. + +L<[perl #133204]|https://rt.perl.org/Ticket/Display.html?id=133204> + +=head2 [CVE-2018-18312] Heap-buffer-overflow write in S_regatom (regcomp.c) + +A crafted regular expression could cause heap-buffer-overflow write during +compilation, potentially allowing arbitrary code execution. + +L<[perl #133423]|https://rt.perl.org/Ticket/Display.html?id=133423> + +=head2 [CVE-2018-18313] Heap-buffer-overflow read in S_grok_bslash_N (regcomp.c) + +A crafted regular expression could cause heap-buffer-overflow read during +compilation, potentially leading to sensitive information being leaked. + +L<[perl #133192]|https://rt.perl.org/Ticket/Display.html?id=133192> + +=head2 [CVE-2018-18314] Heap-buffer-overflow write in S_regatom (regcomp.c) + +A crafted regular expression could cause heap-buffer-overflow write during +compilation, potentially allowing arbitrary code execution. + +L<[perl #131649]|https://rt.perl.org/Ticket/Display.html?id=131649> + +=head1 Incompatible Changes + +There are no changes intentionally incompatible with 5.26.2. If any exist, +they are bugs, and we request that you submit a report. See +L</Reporting Bugs> below. + +=head1 Modules and Pragmata + +=head2 Updated Modules and Pragmata + +=over 4 + +=item * + +L<Archive::Tar> has been upgraded from version 2.24 to 2.24_01. + +=item * + +L<Module::CoreList> has been upgraded from version 5.20180414_26 to 5.20181129_26. + +=back + +=head1 Diagnostics + +The following additions or changes have been made to diagnostic output, +including warnings and fatal error messages. For the complete list of +diagnostic messages, see L<perldiag>. + +=head2 New Diagnostics + +=head3 New Errors + +=over 4 + +=item * + +L<Unexpected ']' with no following ')' in (?[... in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Unexpected ']' with no following ')' in (?[... in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> + +(F) While parsing an extended character class a ']' character was encountered +at a point in the definition where the only legal use of ']' is to close the +character class definition as part of a '])', you may have forgotten the close +paren, or otherwise confused the parser. + +=item * + +L<Expecting close paren for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Expecting close paren for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> + +(F) While parsing a nested extended character class like: + + (?[ ... (?flags:(?[ ... ])) ... ]) + ^ + +we expected to see a close paren ')' (marked by ^) but did not. + +=item * + +L<Expecting close paren for wrapper for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Expecting close paren for wrapper for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> + +(F) While parsing a nested extended character class like: + + (?[ ... (?flags:(?[ ... ])) ... ]) + ^ + +we expected to see a close paren ')' (marked by ^) but did not. + +=back + +=head2 Changes to Existing Diagnostics + +=over 4 + +=item * + +L<Syntax error in (?[...]) in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Syntax error in (?[...]) in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> + +This fatal error message has been slightly expanded (from "Syntax error in +(?[...]) in regex mE<sol>%sE<sol>") for greater clarity. + +=back + +=head1 Acknowledgements + +Perl 5.26.3 represents approximately 8 months of development since Perl 5.26.2 +and contains approximately 4,500 lines of changes across 51 files from 15 +authors. + +Excluding auto-generated files, documentation and release tools, there were +approximately 770 lines of changes to 10 .pm, .t, .c and .h files. + +Perl continues to flourish into its third decade thanks to a vibrant community +of users and developers. The following people are known to have contributed +the improvements that became Perl 5.26.3: + +Aaron Crane, Abigail, Chris 'BinGOs' Williams, Dagfinn Ilmari Mannsåker, David +Mitchell, H.Merijn Brand, James E Keenan, John SJ Anderson, Karen Etheridge, +Karl Williamson, Sawyer X, Steve Hay, Todd Rinaldo, Tony Cook, Yves Orton. + +The list above is almost certainly incomplete as it is automatically generated +from version control history. In particular, it does not include the names of +the (very much appreciated) contributors who reported issues to the Perl bug +tracker. + +Many of the changes included in this version originated in the CPAN modules +included in Perl's core. We're grateful to the entire CPAN community for +helping Perl to flourish. + +For a more complete list of all of Perl's historical contributors, please see +the F<AUTHORS> file in the Perl source distribution. + +=head1 Reporting Bugs + +If you find what you think is a bug, you might check the perl bug database +at L<https://rt.perl.org/> . There may also be information at +L<http://www.perl.org/> , the Perl Home Page. + +If you believe you have an unreported bug, please run the L<perlbug> program +included with your release. Be sure to trim your bug down to a tiny but +sufficient test case. Your bug report, along with the output of C<perl -V>, +will be sent off to perlbug@perl.org to be analysed by the Perl porting team. + +If the bug you are reporting has security implications which make it +inappropriate to send to a publicly archived mailing list, then see +L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION> +for details of how to report the issue. + +=head1 Give Thanks + +If you wish to thank the Perl 5 Porters for the work we had done in Perl 5, +you can do so by running the C<perlthanks> program: + + perlthanks + +This will send an email to the Perl 5 Porters list with your show of thanks. + +=head1 SEE ALSO + +The F<Changes> file for an explanation of how to view exhaustive details on +what changed. + +The F<INSTALL> file for how to build Perl. + +The F<README> file for general stuff. + +The F<Artistic> and F<Copying> files for copyright information. + +=cut |