From b1f92e56d2e54dea1e73475cbc081c03f68ef643 Mon Sep 17 00:00:00 2001 From: Steve Hay Date: Wed, 7 Nov 2018 21:10:42 +0000 Subject: perldelta - Updates for security fixes and diagnostics --- pod/perldelta.pod | 73 ++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 64 insertions(+), 9 deletions(-) diff --git a/pod/perldelta.pod b/pod/perldelta.pod index ab8215f44a..da8b4d76e7 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -14,9 +14,44 @@ L, which describes differences between 5.26.1 and 5.26.2. =head1 Security -=head2 XXX +=head2 [CVE-2018-12015] Directory traversal in module Archive::Tar -XXX +By default, L doesn't allow extracting files outside the current +working directory. However, this secure extraction mode could be bypassed by +putting a symlink and a regular file with the same name into the tar file. + +L<[perl #133250]|https://rt.perl.org/Ticket/Display.html?id=133250> +L<[cpan #125523]|https://rt.cpan.org/Ticket/Display.html?id=125523> + +=head2 [CVE-2018-18311] Integer overflow leading to buffer overflow and segmentation fault + +Integer arithmetic in C could wrap when the combined length +of the environment variable name and value exceeded around 0x7fffffff. This +could lead to writing beyond the end of an allocated buffer with attacker +supplied data. + +L<[perl #133204]|https://rt.perl.org/Ticket/Display.html?id=133204> + +=head2 [CVE-2018-18312] Heap-buffer-overflow write in S_regatom (regcomp.c) + +A crafted regular expression could cause heap-buffer-overflow write during +compilation, potentially allowing arbitrary code execution. + +L<[perl #133423]|https://rt.perl.org/Ticket/Display.html?id=133423> + +=head2 [CVE-2018-18313] Heap-buffer-overflow read in S_grok_bslash_N (regcomp.c) + +A crafted regular expression could cause heap-buffer-overflow read during +compilation, potentially leading to sensitive information being leaked. + +L<[perl #133192]|https://rt.perl.org/Ticket/Display.html?id=133192> + +=head2 [CVE-2018-18314] Heap-buffer-overflow write in S_regatom (regcomp.c) + +A crafted regular expression could cause heap-buffer-overflow write during +compilation, potentially allowing arbitrary code execution. + +L<[perl #131649]|https://rt.perl.org/Ticket/Display.html?id=131649> =head1 Incompatible Changes @@ -54,27 +89,47 @@ diagnostic messages, see L. =item * -XXX L +L-- HERE in mE%sE|perldiag/"Unexpected ']' with no following ')' in (?[... in regex; marked by E-- HERE in mE%sE"> -=back +(F) While parsing an extended character class a ']' character was encountered +at a point in the definition where the only legal use of ']' is to close the +character class definition as part of a '])', you may have forgotten the close +paren, or otherwise confused the parser. -=head2 Changes to Existing Diagnostics +=item * -=over 4 +L-- HERE in mE%sE|perldiag/"Expecting close paren for nested extended charclass in regex; marked by E-- HERE in mE%sE"> + +(F) While parsing a nested extended character class like: + + (?[ ... (?flags:(?[ ... ])) ... ]) + ^ + +we expected to see a close paren ')' (marked by ^) but did not. =item * -XXX Describe change here +L-- HERE in mE%sE|perldiag/"Expecting close paren for wrapper for nested extended charclass in regex; marked by E-- HERE in mE%sE"> + +(F) While parsing a nested extended character class like: + + (?[ ... (?flags:(?[ ... ])) ... ]) + ^ + +we expected to see a close paren ')' (marked by ^) but did not. =back -=head1 Selected Bug Fixes +=head2 Changes to Existing Diagnostics =over 4 =item * -XXX +L-- HERE in mE%sE|perldiag/"Syntax error in (?[...]) in regex; marked by E-- HERE in mE%sE"> + +This fatal error message has been slightly expanded (from "Syntax error in +(?[...]) in regex mE%sE") for greater clarity. =back -- cgit v1.2.1