| 1 | =encoding utf8 |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| 5 | perl5125delta - what is new for perl v5.12.5 |
| 6 | |
| 7 | =head1 DESCRIPTION |
| 8 | |
| 9 | This document describes differences between the 5.12.4 release and |
| 10 | the 5.12.5 release. |
| 11 | |
| 12 | If you are upgrading from an earlier release such as 5.12.3, first read |
| 13 | L<perl5124delta>, which describes differences between 5.12.3 and |
| 14 | 5.12.4. |
| 15 | |
| 16 | =head1 Security |
| 17 | |
| 18 | =head2 C<Encode> decode_xs n-byte heap-overflow (CVE-2011-2939) |
| 19 | |
| 20 | A bug in C<Encode> could, on certain inputs, cause the heap to overflow. |
| 21 | This problem has been corrected. Bug reported by Robert Zacek. |
| 22 | |
| 23 | =head2 C<File::Glob::bsd_glob()> memory error with GLOB_ALTDIRFUNC (CVE-2011-2728). |
| 24 | |
| 25 | Calling C<File::Glob::bsd_glob> with the unsupported flag GLOB_ALTDIRFUNC would |
| 26 | cause an access violation / segfault. A Perl program that accepts a flags value from |
| 27 | an external source could expose itself to denial of service or arbitrary code |
| 28 | execution attacks. There are no known exploits in the wild. The problem has been |
| 29 | corrected by explicitly disabling all unsupported flags and setting unused function |
| 30 | pointers to null. Bug reported by Clément Lecigne. |
| 31 | |
| 32 | =head2 Heap buffer overrun in 'x' string repeat operator (CVE-2012-5195) |
| 33 | |
| 34 | Poorly written perl code that allows an attacker to specify the count to |
| 35 | perl's 'x' string repeat operator can already cause a memory exhaustion |
| 36 | denial-of-service attack. A flaw in versions of perl before 5.15.5 can |
| 37 | escalate that into a heap buffer overrun; coupled with versions of glibc |
| 38 | before 2.16, it possibly allows the execution of arbitrary code. |
| 39 | |
| 40 | This problem has been fixed. |
| 41 | |
| 42 | =head1 Incompatible Changes |
| 43 | |
| 44 | There are no changes intentionally incompatible with 5.12.4. If any |
| 45 | exist, they are bugs and reports are welcome. |
| 46 | |
| 47 | =head1 Modules and Pragmata |
| 48 | |
| 49 | =head2 Updated Modules |
| 50 | |
| 51 | =head3 L<B::Concise> |
| 52 | |
| 53 | L<B::Concise> no longer produces mangled output with the B<-tree> option |
| 54 | [perl #80632]. |
| 55 | |
| 56 | =head3 L<charnames> |
| 57 | |
| 58 | A regression introduced in Perl 5.8.8 has been fixed, that caused |
| 59 | C<charnames::viacode(0)> to return C<undef> instead of the string "NULL" |
| 60 | [perl #72624]. |
| 61 | |
| 62 | =head3 L<Encode> has been upgraded from version 2.39 to version 2.39_01. |
| 63 | |
| 64 | See L</Security>. |
| 65 | |
| 66 | =head3 L<File::Glob> has been upgraded from version 1.07 to version 1.07_01. |
| 67 | |
| 68 | See L</Security>. |
| 69 | |
| 70 | =head3 L<Unicode::UCD> |
| 71 | |
| 72 | The documentation for the C<upper> function now actually says "upper", not |
| 73 | "lower". |
| 74 | |
| 75 | =head3 L<Module::CoreList> |
| 76 | |
| 77 | L<Module::CoreList> has been updated to version 2.50_02 to add data for |
| 78 | this release. |
| 79 | |
| 80 | =head1 Changes to Existing Documentation |
| 81 | |
| 82 | =head2 L<perlebcdic> |
| 83 | |
| 84 | The L<perlebcdic> document contains a helpful table to use in C<tr///> to |
| 85 | convert between EBCDIC and Latin1/ASCII. Unfortunately, the table was the |
| 86 | inverse of the one it describes. This has been corrected. |
| 87 | |
| 88 | =head2 L<perlunicode> |
| 89 | |
| 90 | The section on |
| 91 | L<User-Defined Case Mappings|perlunicode/User-Defined Case Mappings> had |
| 92 | some bad markup and unclear sentences, making parts of it unreadable. This |
| 93 | has been rectified. |
| 94 | |
| 95 | =head2 L<perluniprops> |
| 96 | |
| 97 | This document has been corrected to take non-ASCII platforms into account. |
| 98 | |
| 99 | =head1 Installation and Configuration Improvements |
| 100 | |
| 101 | =head2 Platform Specific Changes |
| 102 | |
| 103 | =over 4 |
| 104 | |
| 105 | =item Mac OS X |
| 106 | |
| 107 | There have been configuration and test fixes to make Perl build cleanly on |
| 108 | Lion and Mountain Lion. |
| 109 | |
| 110 | =item NetBSD |
| 111 | |
| 112 | The NetBSD hints file was corrected to be compatible with NetBSD 6.* |
| 113 | |
| 114 | =back |
| 115 | |
| 116 | =head1 Selected Bug Fixes |
| 117 | |
| 118 | =over 4 |
| 119 | |
| 120 | =item * |
| 121 | |
| 122 | C<chop> now correctly handles characters above "\x{7fffffff}" |
| 123 | [perl #73246]. |
| 124 | |
| 125 | =item * |
| 126 | |
| 127 | C<< ($<,$>) = (...) >> stopped working properly in 5.12.0. It is supposed |
| 128 | to make a single C<setreuid()> call, rather than calling C<setruid()> and |
| 129 | C<seteuid()> separately. Consequently it did not work properly. This has |
| 130 | been fixed [perl #75212]. |
| 131 | |
| 132 | =item * |
| 133 | |
| 134 | Fixed a regression of kill() when a match variable is used for the |
| 135 | process ID to kill [perl #75812]. |
| 136 | |
| 137 | =item * |
| 138 | |
| 139 | C<UNIVERSAL::VERSION> no longer leaks memory. It started leaking in Perl |
| 140 | 5.10.0. |
| 141 | |
| 142 | =item * |
| 143 | |
| 144 | The C-level C<my_strftime> functions no longer leaks memory. This fixes a |
| 145 | memory leak in C<POSIX::strftime> [perl #73520]. |
| 146 | |
| 147 | =item * |
| 148 | |
| 149 | C<caller> no longer leaks memory when called from the DB package if |
| 150 | C<@DB::args> was assigned to after the first call to C<caller>. L<Carp> |
| 151 | was triggering this bug [perl #97010]. |
| 152 | |
| 153 | =item * |
| 154 | |
| 155 | Passing to C<index> an offset beyond the end of the string when the string |
| 156 | is encoded internally in UTF8 no longer causes panics [perl #75898]. |
| 157 | |
| 158 | =item * |
| 159 | |
| 160 | Syntax errors in C<< (?{...}) >> blocks in regular expressions no longer |
| 161 | cause panic messages [perl #2353]. |
| 162 | |
| 163 | =item * |
| 164 | |
| 165 | Perl 5.10.0 introduced some faulty logic that made "U*" in the middle of |
| 166 | a pack template equivalent to "U0" if the input string was empty. This has |
| 167 | been fixed [perl #90160]. |
| 168 | |
| 169 | =back |
| 170 | |
| 171 | =head1 Errata |
| 172 | |
| 173 | =head2 split() and C<@_> |
| 174 | |
| 175 | split() no longer modifies C<@_> when called in scalar or void context. |
| 176 | In void context it now produces a "Useless use of split" warning. |
| 177 | This is actually a change introduced in perl 5.12.0, but it was missed from |
| 178 | that release's L<perl5120delta>. |
| 179 | |
| 180 | =head1 Acknowledgements |
| 181 | |
| 182 | Perl 5.12.5 represents approximately 17 months of development since Perl 5.12.4 |
| 183 | and contains approximately 1,900 lines of changes across 64 files from 18 |
| 184 | authors. |
| 185 | |
| 186 | Perl continues to flourish into its third decade thanks to a vibrant community |
| 187 | of users and developers. The following people are known to have contributed the |
| 188 | improvements that became Perl 5.12.5: |
| 189 | |
| 190 | Andy Dougherty, Chris 'BinGOs' Williams, Craig A. Berry, David Mitchell, |
| 191 | Dominic Hargreaves, Father Chrysostomos, Florian Ragwitz, George Greer, Goro |
| 192 | Fuji, Jesse Vincent, Karl Williamson, Leon Brocard, Nicholas Clark, Rafael |
| 193 | Garcia-Suarez, Reini Urban, Ricardo Signes, Steve Hay, Tony Cook. |
| 194 | |
| 195 | The list above is almost certainly incomplete as it is automatically generated |
| 196 | from version control history. In particular, it does not include the names of |
| 197 | the (very much appreciated) contributors who reported issues to the Perl bug |
| 198 | tracker. |
| 199 | |
| 200 | Many of the changes included in this version originated in the CPAN modules |
| 201 | included in Perl's core. We're grateful to the entire CPAN community for |
| 202 | helping Perl to flourish. |
| 203 | |
| 204 | For a more complete list of all of Perl's historical contributors, please see |
| 205 | the F<AUTHORS> file in the Perl source distribution. |
| 206 | |
| 207 | =head1 Reporting Bugs |
| 208 | |
| 209 | If you find what you think is a bug, you might check the articles |
| 210 | recently posted to the comp.lang.perl.misc newsgroup and the perl |
| 211 | bug database at http://rt.perl.org/perlbug/ . There may also be |
| 212 | information at http://www.perl.org/ , the Perl Home Page. |
| 213 | |
| 214 | If you believe you have an unreported bug, please run the B<perlbug> |
| 215 | program included with your release. Be sure to trim your bug down |
| 216 | to a tiny but sufficient test case. Your bug report, along with the |
| 217 | output of C<perl -V>, will be sent off to perlbug@perl.org to be |
| 218 | analysed by the Perl porting team. |
| 219 | |
| 220 | If the bug you are reporting has security implications, which make it |
| 221 | inappropriate to send to a publicly archived mailing list, then please send |
| 222 | it to perl5-security-report@perl.org. This points to a closed subscription |
| 223 | unarchived mailing list, which includes all the core committers, who be able |
| 224 | to help assess the impact of issues, figure out a resolution, and help |
| 225 | co-ordinate the release of patches to mitigate or fix the problem across all |
| 226 | platforms on which Perl is supported. Please only use this address for |
| 227 | security issues in the Perl core, not for modules independently |
| 228 | distributed on CPAN. |
| 229 | |
| 230 | =head1 SEE ALSO |
| 231 | |
| 232 | The F<Changes> file for an explanation of how to view exhaustive details |
| 233 | on what changed. |
| 234 | |
| 235 | The F<INSTALL> file for how to build Perl. |
| 236 | |
| 237 | The F<README> file for general stuff. |
| 238 | |
| 239 | The F<Artistic> and F<Copying> files for copyright information. |
| 240 | |
| 241 | =cut |