Commit | Line | Data |
---|---|---|
2f7cab8b SH |
1 | =encoding utf8 |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | perl5222delta - what is new for perl v5.22.2 | |
6 | ||
7 | =head1 DESCRIPTION | |
8 | ||
9 | This document describes differences between the 5.22.1 release and the 5.22.2 | |
10 | release. | |
11 | ||
12 | If you are upgrading from an earlier release such as 5.22.0, first read | |
13 | L<perl5221delta>, which describes differences between 5.22.0 and 5.22.1. | |
14 | ||
15 | =head1 Security | |
16 | ||
17 | =head2 Fix out of boundary access in Win32 path handling | |
18 | ||
19 | This is CVE-2015-8608. For more information see | |
20 | L<[perl #126755]|https://rt.perl.org/Ticket/Display.html?id=126755>. | |
21 | ||
22 | =head2 Fix loss of taint in C<canonpath()> | |
23 | ||
24 | This is CVE-2015-8607. For more information see | |
25 | L<[perl #126862]|https://rt.perl.org/Ticket/Display.html?id=126862>. | |
26 | ||
27 | =head2 Set proper umask before calling C<mkstemp(3)> | |
28 | ||
29 | In 5.22.0 perl started setting umask to C<0600> before calling C<mkstemp(3)> | |
30 | and restoring it afterwards. This wrongfully tells C<open(2)> to strip the | |
31 | owner read and write bits from the given mode before applying it, rather than | |
32 | the intended negation of leaving only those bits in place. | |
33 | ||
34 | Systems that use mode C<0666> in C<mkstemp(3)> (like old versions of glibc) | |
35 | create a file with permissions C<0066>, leaving world read and write permissions | |
36 | regardless of current umask. | |
37 | ||
38 | This has been fixed by using umask C<0177> instead. | |
39 | ||
40 | L<[perl #127322]|https://rt.perl.org/Ticket/Display.html?id=127322> | |
41 | ||
42 | =head2 Avoid accessing uninitialized memory in Win32 C<crypt()> | |
43 | ||
44 | Validation that will detect both a short salt and invalid characters in the | |
45 | salt has been added. | |
46 | ||
47 | L<[perl #126922]|https://rt.perl.org/Ticket/Display.html?id=126922> | |
48 | ||
49 | =head2 Remove duplicate environment variables from C<environ> | |
50 | ||
51 | Previously, if an environment variable appeared more than once in C<environ[]>, | |
52 | L<C<%ENV>|perlvar/%ENV> would contain the last entry for that name, while a | |
53 | typical C<getenv()> would return the first entry. We now make sure C<%ENV> | |
54 | contains the same as what C<getenv()> returns. | |
55 | ||
56 | Secondly, we now remove duplicates from C<environ[]>, so if a setting with that | |
57 | name is set in C<%ENV> we won't pass an unsafe value to a child process. | |
58 | ||
59 | This is CVE-2016-2381. | |
60 | ||
61 | =head1 Incompatible Changes | |
62 | ||
63 | There are no changes intentionally incompatible with Perl 5.22.1. If any | |
64 | exist, they are bugs, and we request that you submit a report. See | |
65 | L</Reporting Bugs> below. | |
66 | ||
67 | =head1 Modules and Pragmata | |
68 | ||
69 | =head2 Updated Modules and Pragmata | |
70 | ||
71 | =over 4 | |
72 | ||
73 | =item * | |
74 | ||
75 | L<File::Spec> has been upgraded from version 3.56 to 3.56_01. | |
76 | ||
77 | C<canonpath()> now preserves taint. See L</"Fix loss of taint in | |
78 | C<canonpath()>">. | |
79 | ||
80 | =item * | |
81 | ||
82 | L<Module::CoreList> has been upgraded from version 5.20151213 to 5.20160429. | |
83 | ||
84 | The version number of L<Digest::SHA> listed for Perl 5.18.4 was wrong and has | |
85 | been corrected. Likewise for the version number of L<Config> in 5.18.3 and | |
86 | 5.18.4. | |
87 | L<[perl #127624]|https://rt.perl.org/Ticket/Display.html?id=127624> | |
88 | ||
89 | =back | |
90 | ||
91 | =head1 Documentation | |
92 | ||
93 | =head2 Changes to Existing Documentation | |
94 | ||
95 | =head3 L<perldiag> | |
96 | ||
97 | =over 4 | |
98 | ||
99 | =item * | |
100 | ||
101 | The explanation of the warning "unable to close filehandle %s properly: %s" | |
102 | which can occur when doing an implicit close of a filehandle has been expanded | |
103 | and improved. | |
104 | ||
105 | =back | |
106 | ||
107 | =head3 L<perlfunc> | |
108 | ||
109 | =over 4 | |
110 | ||
111 | =item * | |
112 | ||
113 | The documentation of L<C<hex()>|perlfunc/hex> has been revised to clarify valid | |
114 | inputs. | |
115 | ||
116 | =back | |
117 | ||
118 | =head1 Configuration and Compilation | |
119 | ||
120 | =over 4 | |
121 | ||
122 | =item * | |
123 | ||
124 | Dtrace builds now build successfully on systems with a newer dtrace that | |
125 | require an input object file that uses the probes in the F<.d> file. | |
126 | ||
127 | Previously the probe would fail and cause a build failure. | |
128 | ||
129 | L<[perl #122287]|https://rt.perl.org/Ticket/Display.html?id=122287> | |
130 | ||
131 | =item * | |
132 | ||
133 | F<Configure> no longer probes for F<libnm> by default. Originally this was the | |
134 | "New Math" library, but the name has been re-used by the GNOME NetworkManager. | |
135 | ||
136 | L<[perl #127131]|https://rt.perl.org/Ticket/Display.html?id=127131> | |
137 | ||
138 | =item * | |
139 | ||
140 | F<Configure> now knows about gcc 5. | |
141 | ||
142 | =item * | |
143 | ||
144 | Compiling perl with B<-DPERL_MEM_LOG> now works again. | |
145 | ||
146 | =back | |
147 | ||
148 | =head1 Platform Support | |
149 | ||
150 | =head2 Platform-Specific Notes | |
151 | ||
152 | =over 4 | |
153 | ||
154 | =item Darwin | |
155 | ||
156 | Compiling perl with B<-Dusecbacktrace> on Darwin now works again. | |
157 | ||
158 | L<[perl #127764]|https://rt.perl.org/Ticket/Display.html?id=127764> | |
159 | ||
160 | =item OS X/Darwin | |
161 | ||
162 | Builds with both B<-DDEBUGGING> and threading enabled would fail with a "panic: | |
163 | free from wrong pool" error when built or tested from Terminal on OS X. This | |
164 | was caused by perl's internal management of the environment conflicting with an | |
165 | atfork handler using the libc C<setenv()> function to update the environment. | |
166 | ||
167 | Perl now uses C<setenv()>/C<unsetenv()> to update the environment on OS X. | |
168 | ||
169 | L<[perl #126240]|https://rt.perl.org/Ticket/Display.html?id=126240> | |
170 | ||
171 | =item ppc64el | |
172 | ||
173 | The floating point format of ppc64el (Debian naming for little-endian PowerPC) | |
174 | is now detected correctly. | |
175 | ||
176 | =item Tru64 | |
177 | ||
178 | A test failure in F<t/porting/extrefs.t> has been fixed. | |
179 | ||
180 | =back | |
181 | ||
182 | =head1 Internal Changes | |
183 | ||
184 | =over 4 | |
185 | ||
186 | =item * | |
187 | ||
188 | An unwarranted assertion in C<Perl_newATTRSUB_x()> has been removed. If a stub | |
189 | subroutine definition with a prototype has been seen, then any subsequent stub | |
190 | (or definition) of the same subroutine with an attribute was causing an | |
191 | assertion failure because of a null pointer. | |
192 | ||
193 | L<[perl #126845]|https://rt.perl.org/Ticket/Display.html?id=126845> | |
194 | ||
195 | =back | |
196 | ||
197 | =head1 Selected Bug Fixes | |
198 | ||
199 | =over 4 | |
200 | ||
201 | =item * | |
202 | ||
203 | Calls to the placeholder C<&PL_sv_yes> used internally when an C<import()> or | |
204 | C<unimport()> method isn't found now correctly handle scalar context. | |
205 | L<[perl #126042]|https://rt.perl.org/Ticket/Display.html?id=126042> | |
206 | ||
207 | =item * | |
208 | ||
209 | The L<C<pipe()>|perlfunc/pipe> operator would assert for C<DEBUGGING> builds | |
210 | instead of producing the correct error message. The condition asserted on is | |
211 | detected and reported on correctly without the assertions, so the assertions | |
212 | were removed. | |
213 | L<[perl #126480]|https://rt.perl.org/Ticket/Display.html?id=126480> | |
214 | ||
215 | =item * | |
216 | ||
217 | In some cases, failing to parse a here-doc would attempt to use freed memory. | |
218 | This was caused by a pointer not being restored correctly. | |
219 | L<[perl #126443]|https://rt.perl.org/Ticket/Display.html?id=126443> | |
220 | ||
221 | =item * | |
222 | ||
223 | Perl now reports more context when it sees an array where it expects to see an | |
224 | operator, and avoids an assertion failure. | |
225 | L<[perl #123737]|https://rt.perl.org/Ticket/Display.html?id=123737> | |
226 | ||
227 | =item * | |
228 | ||
229 | If a here-doc was found while parsing another operator, the parser had already | |
230 | read end of file, and the here-doc was not terminated, perl could produce an | |
231 | assertion or a segmentation fault. This now reliably complains about the | |
232 | unterminated here-doc. | |
233 | L<[perl #125540]|https://rt.perl.org/Ticket/Display.html?id=125540> | |
234 | ||
235 | =item * | |
236 | ||
237 | Parsing beyond the end of the buffer when processing a C<#line> directive with | |
238 | no filename is now avoided. | |
239 | L<[perl #127334]|https://rt.perl.org/Ticket/Display.html?id=127334> | |
240 | ||
241 | =item * | |
242 | ||
243 | Perl 5.22.0 added support for the C99 hexadecimal floating point notation, but | |
244 | sometimes misparsed hex floats. This has been fixed. | |
245 | L<[perl #127183]|https://rt.perl.org/Ticket/Display.html?id=127183> | |
246 | ||
247 | =item * | |
248 | ||
249 | Certain regex patterns involving a complemented posix class in an inverted | |
250 | bracketed character class, and matching something else optionally would | |
251 | improperly fail to match. An example of one that could fail is | |
252 | C<qr/_?[^\Wbar]\x{100}/>. This has been fixed. | |
253 | L<[perl #127537]|https://rt.perl.org/Ticket/Display.html?id=127537> | |
254 | ||
255 | =item * | |
256 | ||
257 | Fixed an issue with L<C<pack()>|perlfunc/pack> where C<< pack "H" >> (and | |
258 | C<< pack "h" >>) could read past the source when given a non-utf8 source and a | |
259 | utf8 target. | |
260 | L<[perl #126325]|https://rt.perl.org/Ticket/Display.html?id=126325> | |
261 | ||
262 | =item * | |
263 | ||
264 | Fixed some cases where perl would abort due to a segmentation fault, or a | |
265 | C-level assert. | |
266 | L<[perl #126193]|https://rt.perl.org/Ticket/Display.html?id=126193> | |
267 | L<[perl #126257]|https://rt.perl.org/Ticket/Display.html?id=126257> | |
268 | L<[perl #126258]|https://rt.perl.org/Ticket/Display.html?id=126258> | |
269 | L<[perl #126405]|https://rt.perl.org/Ticket/Display.html?id=126405> | |
270 | L<[perl #126602]|https://rt.perl.org/Ticket/Display.html?id=126602> | |
271 | L<[perl #127773]|https://rt.perl.org/Ticket/Display.html?id=127773> | |
272 | L<[perl #127786]|https://rt.perl.org/Ticket/Display.html?id=127786> | |
273 | ||
274 | =item * | |
275 | ||
276 | A memory leak when setting C<$ENV{foo}> on Darwin has been fixed. | |
277 | L<[perl #126240]|https://rt.perl.org/Ticket/Display.html?id=126240> | |
278 | ||
279 | =item * | |
280 | ||
281 | Perl now correctly raises an error when trying to compile patterns with | |
282 | unterminated character classes while there are trailing backslashes. | |
283 | L<[perl #126141]|https://rt.perl.org/Ticket/Display.html?id=126141> | |
284 | ||
285 | =item * | |
286 | ||
287 | C<NOTHING> regops and C<EXACTFU_SS> regops in C<make_trie()> are now handled | |
288 | properly. | |
289 | L<[perl #126206]|https://rt.perl.org/Ticket/Display.html?id=126206> | |
290 | ||
291 | =item * | |
292 | ||
293 | Perl now only tests C<semctl()> if we have everything needed to use it. In | |
294 | FreeBSD the C<semctl()> entry point may exist, but it can be disabled by | |
295 | policy. | |
296 | L<[perl #127533]|https://rt.perl.org/Ticket/Display.html?id=127533> | |
297 | ||
298 | =item * | |
299 | ||
300 | A regression that allowed undeclared barewords as hash keys to work despite | |
301 | strictures has been fixed. | |
302 | L<[perl #126981]|https://rt.perl.org/Ticket/Display.html?id=126981> | |
303 | ||
304 | =item * | |
305 | ||
306 | As an optimization (introduced in Perl 5.20.0), L<C<uc()>|perlfunc/uc>, | |
307 | L<C<lc()>|perlfunc/lc>, L<C<ucfirst()>|perlfunc/ucfirst> and | |
308 | L<C<lcfirst()>|perlfunc/lcfirst> sometimes modify their argument in-place | |
309 | rather than returning a modified copy. The criteria for this optimization has | |
310 | been made stricter to avoid these functions accidentally modifying in-place | |
311 | when they should not, which has been happening in some cases, e.g. in | |
312 | L<List::Util>. | |
313 | ||
314 | =item * | |
315 | ||
316 | Excessive memory usage in the compilation of some regular expressions involving | |
317 | non-ASCII characters has been reduced. A more complete fix is forthcoming in | |
318 | Perl 5.24.0. | |
319 | ||
320 | =back | |
321 | ||
322 | =head1 Acknowledgements | |
323 | ||
324 | Perl 5.22.2 represents approximately 5 months of development since Perl 5.22.1 | |
325 | and contains approximately 3,000 lines of changes across 110 files from 24 | |
326 | authors. | |
327 | ||
328 | Excluding auto-generated files, documentation and release tools, there were | |
329 | approximately 1,500 lines of changes to 52 .pm, .t, .c and .h files. | |
330 | ||
331 | Perl continues to flourish into its third decade thanks to a vibrant community | |
332 | of users and developers. The following people are known to have contributed | |
333 | the improvements that became Perl 5.22.2: | |
334 | ||
335 | Aaron Crane, Abigail, Andreas König, Aristotle Pagaltzis, Chris 'BinGOs' | |
336 | Williams, Craig A. Berry, Dagfinn Ilmari Mannsåker, David Golden, David | |
337 | Mitchell, H.Merijn Brand, James E Keenan, Jarkko Hietaniemi, Karen Etheridge, | |
338 | Karl Williamson, Matthew Horsfall, Niko Tyni, Ricardo Signes, Sawyer X, Stevan | |
339 | Little, Steve Hay, Todd Rinaldo, Tony Cook, Vladimir Timofeev, Yves Orton. | |
340 | ||
341 | The list above is almost certainly incomplete as it is automatically generated | |
342 | from version control history. In particular, it does not include the names of | |
343 | the (very much appreciated) contributors who reported issues to the Perl bug | |
344 | tracker. | |
345 | ||
346 | Many of the changes included in this version originated in the CPAN modules | |
347 | included in Perl's core. We're grateful to the entire CPAN community for | |
348 | helping Perl to flourish. | |
349 | ||
350 | For a more complete list of all of Perl's historical contributors, please see | |
351 | the F<AUTHORS> file in the Perl source distribution. | |
352 | ||
353 | =head1 Reporting Bugs | |
354 | ||
355 | If you find what you think is a bug, you might check the articles recently | |
356 | posted to the comp.lang.perl.misc newsgroup and the perl bug database at | |
357 | https://rt.perl.org/ . There may also be information at http://www.perl.org/ , | |
358 | the Perl Home Page. | |
359 | ||
360 | If you believe you have an unreported bug, please run the L<perlbug> program | |
361 | included with your release. Be sure to trim your bug down to a tiny but | |
362 | sufficient test case. Your bug report, along with the output of C<perl -V>, | |
363 | will be sent off to perlbug@perl.org to be analysed by the Perl porting team. | |
364 | ||
365 | If the bug you are reporting has security implications, which make it | |
366 | inappropriate to send to a publicly archived mailing list, then please send it | |
367 | to perl5-security-report@perl.org. This points to a closed subscription | |
368 | unarchived mailing list, which includes all the core committers, who will be | |
369 | able to help assess the impact of issues, figure out a resolution, and help | |
370 | co-ordinate the release of patches to mitigate or fix the problem across all | |
371 | platforms on which Perl is supported. Please only use this address for | |
372 | security issues in the Perl core, not for modules independently distributed on | |
373 | CPAN. | |
374 | ||
375 | =head1 SEE ALSO | |
376 | ||
377 | The F<Changes> file for an explanation of how to view exhaustive details on | |
378 | what changed. | |
379 | ||
380 | The F<INSTALL> file for how to build Perl. | |
381 | ||
382 | The F<README> file for general stuff. | |
383 | ||
384 | The F<Artistic> and F<Copying> files for copyright information. | |
385 | ||
386 | =cut |