Commit | Line | Data |
---|---|---|
43323ad1 SH |
1 | =encoding utf8 |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | perl5263delta - what is new for perl v5.26.3 | |
6 | ||
7 | =head1 DESCRIPTION | |
8 | ||
9 | This document describes differences between the 5.26.2 release and the 5.26.3 | |
10 | release. | |
11 | ||
12 | If you are upgrading from an earlier release such as 5.26.1, first read | |
13 | L<perl5262delta>, which describes differences between 5.26.1 and 5.26.2. | |
14 | ||
15 | =head1 Security | |
16 | ||
17 | =head2 [CVE-2018-12015] Directory traversal in module Archive::Tar | |
18 | ||
19 | By default, L<Archive::Tar> doesn't allow extracting files outside the current | |
20 | working directory. However, this secure extraction mode could be bypassed by | |
21 | putting a symlink and a regular file with the same name into the tar file. | |
22 | ||
23 | L<[perl #133250]|https://rt.perl.org/Ticket/Display.html?id=133250> | |
24 | L<[cpan #125523]|https://rt.cpan.org/Ticket/Display.html?id=125523> | |
25 | ||
26 | =head2 [CVE-2018-18311] Integer overflow leading to buffer overflow and segmentation fault | |
27 | ||
28 | Integer arithmetic in C<Perl_my_setenv()> could wrap when the combined length | |
29 | of the environment variable name and value exceeded around 0x7fffffff. This | |
30 | could lead to writing beyond the end of an allocated buffer with attacker | |
31 | supplied data. | |
32 | ||
33 | L<[perl #133204]|https://rt.perl.org/Ticket/Display.html?id=133204> | |
34 | ||
35 | =head2 [CVE-2018-18312] Heap-buffer-overflow write in S_regatom (regcomp.c) | |
36 | ||
37 | A crafted regular expression could cause heap-buffer-overflow write during | |
38 | compilation, potentially allowing arbitrary code execution. | |
39 | ||
40 | L<[perl #133423]|https://rt.perl.org/Ticket/Display.html?id=133423> | |
41 | ||
42 | =head2 [CVE-2018-18313] Heap-buffer-overflow read in S_grok_bslash_N (regcomp.c) | |
43 | ||
44 | A crafted regular expression could cause heap-buffer-overflow read during | |
45 | compilation, potentially leading to sensitive information being leaked. | |
46 | ||
47 | L<[perl #133192]|https://rt.perl.org/Ticket/Display.html?id=133192> | |
48 | ||
49 | =head2 [CVE-2018-18314] Heap-buffer-overflow write in S_regatom (regcomp.c) | |
50 | ||
51 | A crafted regular expression could cause heap-buffer-overflow write during | |
52 | compilation, potentially allowing arbitrary code execution. | |
53 | ||
54 | L<[perl #131649]|https://rt.perl.org/Ticket/Display.html?id=131649> | |
55 | ||
56 | =head1 Incompatible Changes | |
57 | ||
58 | There are no changes intentionally incompatible with 5.26.2. If any exist, | |
59 | they are bugs, and we request that you submit a report. See | |
60 | L</Reporting Bugs> below. | |
61 | ||
62 | =head1 Modules and Pragmata | |
63 | ||
64 | =head2 Updated Modules and Pragmata | |
65 | ||
66 | =over 4 | |
67 | ||
68 | =item * | |
69 | ||
70 | L<Archive::Tar> has been upgraded from version 2.24 to 2.24_01. | |
71 | ||
72 | =item * | |
73 | ||
74 | L<Module::CoreList> has been upgraded from version 5.20180414_26 to 5.20181129_26. | |
75 | ||
76 | =back | |
77 | ||
78 | =head1 Diagnostics | |
79 | ||
80 | The following additions or changes have been made to diagnostic output, | |
81 | including warnings and fatal error messages. For the complete list of | |
82 | diagnostic messages, see L<perldiag>. | |
83 | ||
84 | =head2 New Diagnostics | |
85 | ||
86 | =head3 New Errors | |
87 | ||
88 | =over 4 | |
89 | ||
90 | =item * | |
91 | ||
92 | L<Unexpected ']' with no following ')' in (?[... in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Unexpected ']' with no following ')' in (?[... in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> | |
93 | ||
94 | (F) While parsing an extended character class a ']' character was encountered | |
95 | at a point in the definition where the only legal use of ']' is to close the | |
96 | character class definition as part of a '])', you may have forgotten the close | |
97 | paren, or otherwise confused the parser. | |
98 | ||
99 | =item * | |
100 | ||
101 | L<Expecting close paren for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Expecting close paren for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> | |
102 | ||
103 | (F) While parsing a nested extended character class like: | |
104 | ||
105 | (?[ ... (?flags:(?[ ... ])) ... ]) | |
106 | ^ | |
107 | ||
108 | we expected to see a close paren ')' (marked by ^) but did not. | |
109 | ||
110 | =item * | |
111 | ||
112 | L<Expecting close paren for wrapper for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Expecting close paren for wrapper for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> | |
113 | ||
114 | (F) While parsing a nested extended character class like: | |
115 | ||
116 | (?[ ... (?flags:(?[ ... ])) ... ]) | |
117 | ^ | |
118 | ||
119 | we expected to see a close paren ')' (marked by ^) but did not. | |
120 | ||
121 | =back | |
122 | ||
123 | =head2 Changes to Existing Diagnostics | |
124 | ||
125 | =over 4 | |
126 | ||
127 | =item * | |
128 | ||
129 | L<Syntax error in (?[...]) in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Syntax error in (?[...]) in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>"> | |
130 | ||
131 | This fatal error message has been slightly expanded (from "Syntax error in | |
132 | (?[...]) in regex mE<sol>%sE<sol>") for greater clarity. | |
133 | ||
134 | =back | |
135 | ||
136 | =head1 Acknowledgements | |
137 | ||
138 | Perl 5.26.3 represents approximately 8 months of development since Perl 5.26.2 | |
139 | and contains approximately 4,500 lines of changes across 51 files from 15 | |
140 | authors. | |
141 | ||
142 | Excluding auto-generated files, documentation and release tools, there were | |
143 | approximately 770 lines of changes to 10 .pm, .t, .c and .h files. | |
144 | ||
145 | Perl continues to flourish into its third decade thanks to a vibrant community | |
146 | of users and developers. The following people are known to have contributed | |
147 | the improvements that became Perl 5.26.3: | |
148 | ||
149 | Aaron Crane, Abigail, Chris 'BinGOs' Williams, Dagfinn Ilmari Mannsåker, David | |
150 | Mitchell, H.Merijn Brand, James E Keenan, John SJ Anderson, Karen Etheridge, | |
151 | Karl Williamson, Sawyer X, Steve Hay, Todd Rinaldo, Tony Cook, Yves Orton. | |
152 | ||
153 | The list above is almost certainly incomplete as it is automatically generated | |
154 | from version control history. In particular, it does not include the names of | |
155 | the (very much appreciated) contributors who reported issues to the Perl bug | |
156 | tracker. | |
157 | ||
158 | Many of the changes included in this version originated in the CPAN modules | |
159 | included in Perl's core. We're grateful to the entire CPAN community for | |
160 | helping Perl to flourish. | |
161 | ||
162 | For a more complete list of all of Perl's historical contributors, please see | |
163 | the F<AUTHORS> file in the Perl source distribution. | |
164 | ||
165 | =head1 Reporting Bugs | |
166 | ||
167 | If you find what you think is a bug, you might check the perl bug database | |
168 | at L<https://rt.perl.org/> . There may also be information at | |
169 | L<http://www.perl.org/> , the Perl Home Page. | |
170 | ||
171 | If you believe you have an unreported bug, please run the L<perlbug> program | |
172 | included with your release. Be sure to trim your bug down to a tiny but | |
173 | sufficient test case. Your bug report, along with the output of C<perl -V>, | |
174 | will be sent off to perlbug@perl.org to be analysed by the Perl porting team. | |
175 | ||
176 | If the bug you are reporting has security implications which make it | |
177 | inappropriate to send to a publicly archived mailing list, then see | |
178 | L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION> | |
179 | for details of how to report the issue. | |
180 | ||
181 | =head1 Give Thanks | |
182 | ||
183 | If you wish to thank the Perl 5 Porters for the work we had done in Perl 5, | |
184 | you can do so by running the C<perlthanks> program: | |
185 | ||
186 | perlthanks | |
187 | ||
188 | This will send an email to the Perl 5 Porters list with your show of thanks. | |
189 | ||
190 | =head1 SEE ALSO | |
191 | ||
192 | The F<Changes> file for an explanation of how to view exhaustive details on | |
193 | what changed. | |
194 | ||
195 | The F<INSTALL> file for how to build Perl. | |
196 | ||
197 | The F<README> file for general stuff. | |
198 | ||
199 | The F<Artistic> and F<Copying> files for copyright information. | |
200 | ||
201 | =cut |