From 51e4a60d9a445bb351fe9892399c6c3473172986 Mon Sep 17 00:00:00 2001 From: Steve Hay Date: Fri, 15 May 2020 12:07:08 +0100 Subject: perldelta - Document security fixes --- pod/perldelta.pod | 45 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/pod/perldelta.pod b/pod/perldelta.pod index 3e057d7d8b..a957435ac4 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -14,16 +14,43 @@ L, which describes differences between 5.30.1 and 5.30.2. =head1 Security -XXX Any security-related notices go here. In particular, any security -vulnerabilities closed should be noted here rather than in the -Selected Bug Fixes section. +=head2 [CVE-2020-10543] Buffer overflow caused by a crafted regular expression -[ List each security issue as a =head2 entry ] +A signed C integer overflow in the storage space calculations for +nested regular expression quantifiers could cause a heap buffer overflow in +Perl's regular expression compiler that overwrites memory allocated after the +regular expression storage space with attacker supplied data. + +The target system needs a sufficient amount of memory to allocate partial +expansions of the nested quantifiers prior to the overflow occurring. This +requirement is unlikely to be met on 64-bit systems. + +=head2 [CVE-2020-10878] Integer overflow via malformed bytecode produced by a crafted regular expression + +Integer overflows in the calculation of offsets between instructions for the +regular expression engine could cause corruption of the intermediate language +state of a compiled regular expression. An attacker could abuse this behaviour +to insert instructions into the compiled form of a Perl regular expression. + +=head2 [CVE-2020-12723] Buffer overflow caused by a crafted regular expression + +Recursive calls to C by Perl's regular expression compiler to +optimize the intermediate language representation of a regular expression could +cause corruption of the intermediate language state of a compiled regular +expression. + +=head2 Additional Note + +An application written in Perl would only be vulnerable to any of the above +flaws if it evaluates regular expressions supplied by the attacker. Evaluating +regular expressions in this fashion is known to be dangerous since the regular +expression engine does not protect against denial of service attacks in this +usage scenario. =head1 Incompatible Changes -There are no changes intentionally incompatible with 5.30.2. If any exist, -they are bugs, and we request that you submit a report. See +There are no changes intentionally incompatible with Perl 5.30.2. If any +exist, they are bugs, and we request that you submit a report. See L below. =head1 Modules and Pragmata @@ -53,7 +80,7 @@ XXX Generate this with: If you find what you think is a bug, you might check the perl bug database at L. There may also be information at -L, the Perl Home Page. +L, the Perl Home Page. If you believe you have an unreported bug, please open an issue at L. Be sure to trim your bug down to a @@ -66,8 +93,8 @@ report the issue. =head1 Give Thanks -If you wish to thank the Perl 5 Porters for the work we had done in Perl 5, -you can do so by running the C program: +If you wish to thank the Perl 5 Porters for the work we had done in Perl 5, you +can do so by running the C program: perlthanks -- cgit v1.2.1