Commit | Line | Data |
---|---|---|
189c2812 SH |
1 | =encoding utf8 |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | perl5283delta - what is new for perl v5.28.3 | |
6 | ||
7 | =head1 DESCRIPTION | |
8 | ||
9 | This document describes differences between the 5.28.2 release and the 5.28.3 | |
10 | release. | |
11 | ||
12 | If you are upgrading from an earlier release such as 5.28.1, first read | |
13 | L<perl5282delta>, which describes differences between 5.28.1 and 5.28.2. | |
14 | ||
15 | =head1 Security | |
16 | ||
17 | =head2 [CVE-2020-10543] Buffer overflow caused by a crafted regular expression | |
18 | ||
19 | A signed C<size_t> integer overflow in the storage space calculations for | |
20 | nested regular expression quantifiers could cause a heap buffer overflow in | |
21 | Perl's regular expression compiler that overwrites memory allocated after the | |
22 | regular expression storage space with attacker supplied data. | |
23 | ||
24 | The target system needs a sufficient amount of memory to allocate partial | |
25 | expansions of the nested quantifiers prior to the overflow occurring. This | |
26 | requirement is unlikely to be met on 64-bit systems. | |
27 | ||
28 | Discovered by: ManhND of The Tarantula Team, VinCSS (a member of Vingroup). | |
29 | ||
30 | =head2 [CVE-2020-10878] Integer overflow via malformed bytecode produced by a crafted regular expression | |
31 | ||
32 | Integer overflows in the calculation of offsets between instructions for the | |
33 | regular expression engine could cause corruption of the intermediate language | |
34 | state of a compiled regular expression. An attacker could abuse this behaviour | |
35 | to insert instructions into the compiled form of a Perl regular expression. | |
36 | ||
37 | Discovered by: Hugo van der Sanden and Slaven Rezic. | |
38 | ||
39 | =head2 [CVE-2020-12723] Buffer overflow caused by a crafted regular expression | |
40 | ||
41 | Recursive calls to C<S_study_chunk()> by Perl's regular expression compiler to | |
42 | optimize the intermediate language representation of a regular expression could | |
43 | cause corruption of the intermediate language state of a compiled regular | |
44 | expression. | |
45 | ||
46 | Discovered by: Sergey Aleynikov. | |
47 | ||
48 | =head2 Additional Note | |
49 | ||
50 | An application written in Perl would only be vulnerable to any of the above | |
51 | flaws if it evaluates regular expressions supplied by the attacker. Evaluating | |
52 | regular expressions in this fashion is known to be dangerous since the regular | |
53 | expression engine does not protect against denial of service attacks in this | |
54 | usage scenario. | |
55 | ||
56 | =head1 Incompatible Changes | |
57 | ||
58 | There are no changes intentionally incompatible with Perl 5.28.2. If any | |
59 | exist, they are bugs, and we request that you submit a report. See | |
60 | L</Reporting Bugs> below. | |
61 | ||
62 | =head1 Modules and Pragmata | |
63 | ||
64 | =head2 Updated Modules and Pragmata | |
65 | ||
66 | =over 4 | |
67 | ||
68 | =item * | |
69 | ||
70 | L<Module::CoreList> has been upgraded from version 5.20190419 to 5.20200601_28. | |
71 | ||
72 | =back | |
73 | ||
74 | =head1 Testing | |
75 | ||
76 | Tests were added and changed to reflect the other additions and changes in this | |
77 | release. | |
78 | ||
79 | =head1 Acknowledgements | |
80 | ||
81 | Perl 5.28.3 represents approximately 13 months of development since Perl 5.28.2 | |
82 | and contains approximately 3,100 lines of changes across 48 files from 16 | |
83 | authors. | |
84 | ||
85 | Excluding auto-generated files, documentation and release tools, there were | |
86 | approximately 1,700 lines of changes to 9 .pm, .t, .c and .h files. | |
87 | ||
88 | Perl continues to flourish into its fourth decade thanks to a vibrant community | |
89 | of users and developers. The following people are known to have contributed | |
90 | the improvements that became Perl 5.28.3: | |
91 | ||
92 | Chris 'BinGOs' Williams, Dan Book, Hugo van der Sanden, James E Keenan, John | |
93 | Lightsey, Karen Etheridge, Karl Williamson, Matthew Horsfall, Max Maischein, | |
94 | Nicolas R., Renee Baecker, Sawyer X, Steve Hay, Tom Hukins, Tony Cook, Zak B. | |
95 | Elep. | |
96 | ||
97 | The list above is almost certainly incomplete as it is automatically generated | |
98 | from version control history. In particular, it does not include the names of | |
99 | the (very much appreciated) contributors who reported issues to the Perl bug | |
100 | tracker. | |
101 | ||
102 | Many of the changes included in this version originated in the CPAN modules | |
103 | included in Perl's core. We're grateful to the entire CPAN community for | |
104 | helping Perl to flourish. | |
105 | ||
106 | For a more complete list of all of Perl's historical contributors, please see | |
107 | the F<AUTHORS> file in the Perl source distribution. | |
108 | ||
109 | =head1 Reporting Bugs | |
110 | ||
111 | If you find what you think is a bug, you might check the perl bug database at | |
112 | L<https://github.com/Perl/perl5/issues>. There may also be information at | |
113 | L<https://www.perl.org/>, the Perl Home Page. | |
114 | ||
115 | If you believe you have an unreported bug, please open an issue at | |
116 | L<https://github.com/Perl/perl5/issues>. Be sure to trim your bug down to a | |
117 | tiny but sufficient test case. | |
118 | ||
119 | If the bug you are reporting has security implications which make it | |
120 | inappropriate to send to a public issue tracker, then see | |
121 | L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION> for details of how to | |
122 | report the issue. | |
123 | ||
124 | =head1 Give Thanks | |
125 | ||
126 | If you wish to thank the Perl 5 Porters for the work we had done in Perl 5, you | |
127 | can do so by running the C<perlthanks> program: | |
128 | ||
129 | perlthanks | |
130 | ||
131 | This will send an email to the Perl 5 Porters list with your show of thanks. | |
132 | ||
133 | =head1 SEE ALSO | |
134 | ||
135 | The F<Changes> file for an explanation of how to view exhaustive details on | |
136 | what changed. | |
137 | ||
138 | The F<INSTALL> file for how to build Perl. | |
139 | ||
140 | The F<README> file for general stuff. | |
141 | ||
142 | The F<Artistic> and F<Copying> files for copyright information. | |
143 | ||
144 | =cut |