| 1 | =encoding utf8 |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| 5 | perl5222delta - what is new for perl v5.22.2 |
| 6 | |
| 7 | =head1 DESCRIPTION |
| 8 | |
| 9 | This document describes differences between the 5.22.1 release and the 5.22.2 |
| 10 | release. |
| 11 | |
| 12 | If you are upgrading from an earlier release such as 5.22.0, first read |
| 13 | L<perl5221delta>, which describes differences between 5.22.0 and 5.22.1. |
| 14 | |
| 15 | =head1 Security |
| 16 | |
| 17 | =head2 Fix out of boundary access in Win32 path handling |
| 18 | |
| 19 | This is CVE-2015-8608. For more information see |
| 20 | L<[perl #126755]|https://rt.perl.org/Ticket/Display.html?id=126755>. |
| 21 | |
| 22 | =head2 Fix loss of taint in C<canonpath()> |
| 23 | |
| 24 | This is CVE-2015-8607. For more information see |
| 25 | L<[perl #126862]|https://rt.perl.org/Ticket/Display.html?id=126862>. |
| 26 | |
| 27 | =head2 Set proper umask before calling C<mkstemp(3)> |
| 28 | |
| 29 | In 5.22.0 perl started setting umask to C<0600> before calling C<mkstemp(3)> |
| 30 | and restoring it afterwards. This wrongfully tells C<open(2)> to strip the |
| 31 | owner read and write bits from the given mode before applying it, rather than |
| 32 | the intended negation of leaving only those bits in place. |
| 33 | |
| 34 | Systems that use mode C<0666> in C<mkstemp(3)> (like old versions of glibc) |
| 35 | create a file with permissions C<0066>, leaving world read and write permissions |
| 36 | regardless of current umask. |
| 37 | |
| 38 | This has been fixed by using umask C<0177> instead. |
| 39 | |
| 40 | L<[perl #127322]|https://rt.perl.org/Ticket/Display.html?id=127322> |
| 41 | |
| 42 | =head2 Avoid accessing uninitialized memory in Win32 C<crypt()> |
| 43 | |
| 44 | Validation that will detect both a short salt and invalid characters in the |
| 45 | salt has been added. |
| 46 | |
| 47 | L<[perl #126922]|https://rt.perl.org/Ticket/Display.html?id=126922> |
| 48 | |
| 49 | =head2 Remove duplicate environment variables from C<environ> |
| 50 | |
| 51 | Previously, if an environment variable appeared more than once in C<environ[]>, |
| 52 | L<C<%ENV>|perlvar/%ENV> would contain the last entry for that name, while a |
| 53 | typical C<getenv()> would return the first entry. We now make sure C<%ENV> |
| 54 | contains the same as what C<getenv()> returns. |
| 55 | |
| 56 | Secondly, we now remove duplicates from C<environ[]>, so if a setting with that |
| 57 | name is set in C<%ENV> we won't pass an unsafe value to a child process. |
| 58 | |
| 59 | This is CVE-2016-2381. |
| 60 | |
| 61 | =head1 Incompatible Changes |
| 62 | |
| 63 | There are no changes intentionally incompatible with Perl 5.22.1. If any |
| 64 | exist, they are bugs, and we request that you submit a report. See |
| 65 | L</Reporting Bugs> below. |
| 66 | |
| 67 | =head1 Modules and Pragmata |
| 68 | |
| 69 | =head2 Updated Modules and Pragmata |
| 70 | |
| 71 | =over 4 |
| 72 | |
| 73 | =item * |
| 74 | |
| 75 | L<File::Spec> has been upgraded from version 3.56 to 3.56_01. |
| 76 | |
| 77 | C<canonpath()> now preserves taint. See L</"Fix loss of taint in |
| 78 | C<canonpath()>">. |
| 79 | |
| 80 | =item * |
| 81 | |
| 82 | L<Module::CoreList> has been upgraded from version 5.20151213 to 5.20160429. |
| 83 | |
| 84 | The version number of L<Digest::SHA> listed for Perl 5.18.4 was wrong and has |
| 85 | been corrected. Likewise for the version number of L<Config> in 5.18.3 and |
| 86 | 5.18.4. |
| 87 | L<[perl #127624]|https://rt.perl.org/Ticket/Display.html?id=127624> |
| 88 | |
| 89 | =back |
| 90 | |
| 91 | =head1 Documentation |
| 92 | |
| 93 | =head2 Changes to Existing Documentation |
| 94 | |
| 95 | =head3 L<perldiag> |
| 96 | |
| 97 | =over 4 |
| 98 | |
| 99 | =item * |
| 100 | |
| 101 | The explanation of the warning "unable to close filehandle %s properly: %s" |
| 102 | which can occur when doing an implicit close of a filehandle has been expanded |
| 103 | and improved. |
| 104 | |
| 105 | =back |
| 106 | |
| 107 | =head3 L<perlfunc> |
| 108 | |
| 109 | =over 4 |
| 110 | |
| 111 | =item * |
| 112 | |
| 113 | The documentation of L<C<hex()>|perlfunc/hex> has been revised to clarify valid |
| 114 | inputs. |
| 115 | |
| 116 | =back |
| 117 | |
| 118 | =head1 Configuration and Compilation |
| 119 | |
| 120 | =over 4 |
| 121 | |
| 122 | =item * |
| 123 | |
| 124 | Dtrace builds now build successfully on systems with a newer dtrace that |
| 125 | require an input object file that uses the probes in the F<.d> file. |
| 126 | |
| 127 | Previously the probe would fail and cause a build failure. |
| 128 | |
| 129 | L<[perl #122287]|https://rt.perl.org/Ticket/Display.html?id=122287> |
| 130 | |
| 131 | =item * |
| 132 | |
| 133 | F<Configure> no longer probes for F<libnm> by default. Originally this was the |
| 134 | "New Math" library, but the name has been re-used by the GNOME NetworkManager. |
| 135 | |
| 136 | L<[perl #127131]|https://rt.perl.org/Ticket/Display.html?id=127131> |
| 137 | |
| 138 | =item * |
| 139 | |
| 140 | F<Configure> now knows about gcc 5. |
| 141 | |
| 142 | =item * |
| 143 | |
| 144 | Compiling perl with B<-DPERL_MEM_LOG> now works again. |
| 145 | |
| 146 | =back |
| 147 | |
| 148 | =head1 Platform Support |
| 149 | |
| 150 | =head2 Platform-Specific Notes |
| 151 | |
| 152 | =over 4 |
| 153 | |
| 154 | =item Darwin |
| 155 | |
| 156 | Compiling perl with B<-Dusecbacktrace> on Darwin now works again. |
| 157 | |
| 158 | L<[perl #127764]|https://rt.perl.org/Ticket/Display.html?id=127764> |
| 159 | |
| 160 | =item OS X/Darwin |
| 161 | |
| 162 | Builds with both B<-DDEBUGGING> and threading enabled would fail with a "panic: |
| 163 | free from wrong pool" error when built or tested from Terminal on OS X. This |
| 164 | was caused by perl's internal management of the environment conflicting with an |
| 165 | atfork handler using the libc C<setenv()> function to update the environment. |
| 166 | |
| 167 | Perl now uses C<setenv()>/C<unsetenv()> to update the environment on OS X. |
| 168 | |
| 169 | L<[perl #126240]|https://rt.perl.org/Ticket/Display.html?id=126240> |
| 170 | |
| 171 | =item ppc64el |
| 172 | |
| 173 | The floating point format of ppc64el (Debian naming for little-endian PowerPC) |
| 174 | is now detected correctly. |
| 175 | |
| 176 | =item Tru64 |
| 177 | |
| 178 | A test failure in F<t/porting/extrefs.t> has been fixed. |
| 179 | |
| 180 | =back |
| 181 | |
| 182 | =head1 Internal Changes |
| 183 | |
| 184 | =over 4 |
| 185 | |
| 186 | =item * |
| 187 | |
| 188 | An unwarranted assertion in C<Perl_newATTRSUB_x()> has been removed. If a stub |
| 189 | subroutine definition with a prototype has been seen, then any subsequent stub |
| 190 | (or definition) of the same subroutine with an attribute was causing an |
| 191 | assertion failure because of a null pointer. |
| 192 | |
| 193 | L<[perl #126845]|https://rt.perl.org/Ticket/Display.html?id=126845> |
| 194 | |
| 195 | =back |
| 196 | |
| 197 | =head1 Selected Bug Fixes |
| 198 | |
| 199 | =over 4 |
| 200 | |
| 201 | =item * |
| 202 | |
| 203 | Calls to the placeholder C<&PL_sv_yes> used internally when an C<import()> or |
| 204 | C<unimport()> method isn't found now correctly handle scalar context. |
| 205 | L<[perl #126042]|https://rt.perl.org/Ticket/Display.html?id=126042> |
| 206 | |
| 207 | =item * |
| 208 | |
| 209 | The L<C<pipe()>|perlfunc/pipe> operator would assert for C<DEBUGGING> builds |
| 210 | instead of producing the correct error message. The condition asserted on is |
| 211 | detected and reported on correctly without the assertions, so the assertions |
| 212 | were removed. |
| 213 | L<[perl #126480]|https://rt.perl.org/Ticket/Display.html?id=126480> |
| 214 | |
| 215 | =item * |
| 216 | |
| 217 | In some cases, failing to parse a here-doc would attempt to use freed memory. |
| 218 | This was caused by a pointer not being restored correctly. |
| 219 | L<[perl #126443]|https://rt.perl.org/Ticket/Display.html?id=126443> |
| 220 | |
| 221 | =item * |
| 222 | |
| 223 | Perl now reports more context when it sees an array where it expects to see an |
| 224 | operator, and avoids an assertion failure. |
| 225 | L<[perl #123737]|https://rt.perl.org/Ticket/Display.html?id=123737> |
| 226 | |
| 227 | =item * |
| 228 | |
| 229 | If a here-doc was found while parsing another operator, the parser had already |
| 230 | read end of file, and the here-doc was not terminated, perl could produce an |
| 231 | assertion or a segmentation fault. This now reliably complains about the |
| 232 | unterminated here-doc. |
| 233 | L<[perl #125540]|https://rt.perl.org/Ticket/Display.html?id=125540> |
| 234 | |
| 235 | =item * |
| 236 | |
| 237 | Parsing beyond the end of the buffer when processing a C<#line> directive with |
| 238 | no filename is now avoided. |
| 239 | L<[perl #127334]|https://rt.perl.org/Ticket/Display.html?id=127334> |
| 240 | |
| 241 | =item * |
| 242 | |
| 243 | Perl 5.22.0 added support for the C99 hexadecimal floating point notation, but |
| 244 | sometimes misparsed hex floats. This has been fixed. |
| 245 | L<[perl #127183]|https://rt.perl.org/Ticket/Display.html?id=127183> |
| 246 | |
| 247 | =item * |
| 248 | |
| 249 | Certain regex patterns involving a complemented posix class in an inverted |
| 250 | bracketed character class, and matching something else optionally would |
| 251 | improperly fail to match. An example of one that could fail is |
| 252 | C<qr/_?[^\Wbar]\x{100}/>. This has been fixed. |
| 253 | L<[perl #127537]|https://rt.perl.org/Ticket/Display.html?id=127537> |
| 254 | |
| 255 | =item * |
| 256 | |
| 257 | Fixed an issue with L<C<pack()>|perlfunc/pack> where C<< pack "H" >> (and |
| 258 | C<< pack "h" >>) could read past the source when given a non-utf8 source and a |
| 259 | utf8 target. |
| 260 | L<[perl #126325]|https://rt.perl.org/Ticket/Display.html?id=126325> |
| 261 | |
| 262 | =item * |
| 263 | |
| 264 | Fixed some cases where perl would abort due to a segmentation fault, or a |
| 265 | C-level assert. |
| 266 | L<[perl #126193]|https://rt.perl.org/Ticket/Display.html?id=126193> |
| 267 | L<[perl #126257]|https://rt.perl.org/Ticket/Display.html?id=126257> |
| 268 | L<[perl #126258]|https://rt.perl.org/Ticket/Display.html?id=126258> |
| 269 | L<[perl #126405]|https://rt.perl.org/Ticket/Display.html?id=126405> |
| 270 | L<[perl #126602]|https://rt.perl.org/Ticket/Display.html?id=126602> |
| 271 | L<[perl #127773]|https://rt.perl.org/Ticket/Display.html?id=127773> |
| 272 | L<[perl #127786]|https://rt.perl.org/Ticket/Display.html?id=127786> |
| 273 | |
| 274 | =item * |
| 275 | |
| 276 | A memory leak when setting C<$ENV{foo}> on Darwin has been fixed. |
| 277 | L<[perl #126240]|https://rt.perl.org/Ticket/Display.html?id=126240> |
| 278 | |
| 279 | =item * |
| 280 | |
| 281 | Perl now correctly raises an error when trying to compile patterns with |
| 282 | unterminated character classes while there are trailing backslashes. |
| 283 | L<[perl #126141]|https://rt.perl.org/Ticket/Display.html?id=126141> |
| 284 | |
| 285 | =item * |
| 286 | |
| 287 | C<NOTHING> regops and C<EXACTFU_SS> regops in C<make_trie()> are now handled |
| 288 | properly. |
| 289 | L<[perl #126206]|https://rt.perl.org/Ticket/Display.html?id=126206> |
| 290 | |
| 291 | =item * |
| 292 | |
| 293 | Perl now only tests C<semctl()> if we have everything needed to use it. In |
| 294 | FreeBSD the C<semctl()> entry point may exist, but it can be disabled by |
| 295 | policy. |
| 296 | L<[perl #127533]|https://rt.perl.org/Ticket/Display.html?id=127533> |
| 297 | |
| 298 | =item * |
| 299 | |
| 300 | A regression that allowed undeclared barewords as hash keys to work despite |
| 301 | strictures has been fixed. |
| 302 | L<[perl #126981]|https://rt.perl.org/Ticket/Display.html?id=126981> |
| 303 | |
| 304 | =item * |
| 305 | |
| 306 | As an optimization (introduced in Perl 5.20.0), L<C<uc()>|perlfunc/uc>, |
| 307 | L<C<lc()>|perlfunc/lc>, L<C<ucfirst()>|perlfunc/ucfirst> and |
| 308 | L<C<lcfirst()>|perlfunc/lcfirst> sometimes modify their argument in-place |
| 309 | rather than returning a modified copy. The criteria for this optimization has |
| 310 | been made stricter to avoid these functions accidentally modifying in-place |
| 311 | when they should not, which has been happening in some cases, e.g. in |
| 312 | L<List::Util>. |
| 313 | |
| 314 | =item * |
| 315 | |
| 316 | Excessive memory usage in the compilation of some regular expressions involving |
| 317 | non-ASCII characters has been reduced. A more complete fix is forthcoming in |
| 318 | Perl 5.24.0. |
| 319 | |
| 320 | =back |
| 321 | |
| 322 | =head1 Acknowledgements |
| 323 | |
| 324 | Perl 5.22.2 represents approximately 5 months of development since Perl 5.22.1 |
| 325 | and contains approximately 3,000 lines of changes across 110 files from 24 |
| 326 | authors. |
| 327 | |
| 328 | Excluding auto-generated files, documentation and release tools, there were |
| 329 | approximately 1,500 lines of changes to 52 .pm, .t, .c and .h files. |
| 330 | |
| 331 | Perl continues to flourish into its third decade thanks to a vibrant community |
| 332 | of users and developers. The following people are known to have contributed |
| 333 | the improvements that became Perl 5.22.2: |
| 334 | |
| 335 | Aaron Crane, Abigail, Andreas König, Aristotle Pagaltzis, Chris 'BinGOs' |
| 336 | Williams, Craig A. Berry, Dagfinn Ilmari Mannsåker, David Golden, David |
| 337 | Mitchell, H.Merijn Brand, James E Keenan, Jarkko Hietaniemi, Karen Etheridge, |
| 338 | Karl Williamson, Matthew Horsfall, Niko Tyni, Ricardo Signes, Sawyer X, Stevan |
| 339 | Little, Steve Hay, Todd Rinaldo, Tony Cook, Vladimir Timofeev, Yves Orton. |
| 340 | |
| 341 | The list above is almost certainly incomplete as it is automatically generated |
| 342 | from version control history. In particular, it does not include the names of |
| 343 | the (very much appreciated) contributors who reported issues to the Perl bug |
| 344 | tracker. |
| 345 | |
| 346 | Many of the changes included in this version originated in the CPAN modules |
| 347 | included in Perl's core. We're grateful to the entire CPAN community for |
| 348 | helping Perl to flourish. |
| 349 | |
| 350 | For a more complete list of all of Perl's historical contributors, please see |
| 351 | the F<AUTHORS> file in the Perl source distribution. |
| 352 | |
| 353 | =head1 Reporting Bugs |
| 354 | |
| 355 | If you find what you think is a bug, you might check the articles recently |
| 356 | posted to the comp.lang.perl.misc newsgroup and the perl bug database at |
| 357 | https://rt.perl.org/ . There may also be information at http://www.perl.org/ , |
| 358 | the Perl Home Page. |
| 359 | |
| 360 | If you believe you have an unreported bug, please run the L<perlbug> program |
| 361 | included with your release. Be sure to trim your bug down to a tiny but |
| 362 | sufficient test case. Your bug report, along with the output of C<perl -V>, |
| 363 | will be sent off to perlbug@perl.org to be analysed by the Perl porting team. |
| 364 | |
| 365 | If the bug you are reporting has security implications, which make it |
| 366 | inappropriate to send to a publicly archived mailing list, then please send it |
| 367 | to perl5-security-report@perl.org. This points to a closed subscription |
| 368 | unarchived mailing list, which includes all the core committers, who will be |
| 369 | able to help assess the impact of issues, figure out a resolution, and help |
| 370 | co-ordinate the release of patches to mitigate or fix the problem across all |
| 371 | platforms on which Perl is supported. Please only use this address for |
| 372 | security issues in the Perl core, not for modules independently distributed on |
| 373 | CPAN. |
| 374 | |
| 375 | =head1 SEE ALSO |
| 376 | |
| 377 | The F<Changes> file for an explanation of how to view exhaustive details on |
| 378 | what changed. |
| 379 | |
| 380 | The F<INSTALL> file for how to build Perl. |
| 381 | |
| 382 | The F<README> file for general stuff. |
| 383 | |
| 384 | The F<Artistic> and F<Copying> files for copyright information. |
| 385 | |
| 386 | =cut |