/ 
perl-5.25.4
⭐ Starred 2013
/ perl5121delta
Security Advisories (10)
CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

NAME

perl5121delta - what is new for perl v5.12.1

DESCRIPTION

This document describes differences between the 5.12.0 release and the 5.12.1 release.

If you are upgrading from an earlier release such as 5.10.1, first read perl5120delta, which describes differences between 5.10.1 and 5.12.0.

Incompatible Changes

There are no changes intentionally incompatible with 5.12.0. If any incompatibilities with 5.12.0 exist, they are bugs. Please report them.

Core Enhancements

Other than the bug fixes listed below, there should be no user-visible changes to the core language in this release.

Modules and Pragmata

Pragmata Changes

  • We fixed exporting of is_strict and is_lax from version.

    These were being exported with a wrapper that treated them as method calls, which caused them to fail. They are just functions, are documented as such, and should never be subclassed, so this patch just exports them directly as functions without the wrapper.

Updated Modules

  • We upgraded CGI.pm to version 3.49 to incorporate fixes for regressions introduced in the release we shipped with Perl 5.12.0.

  • We upgraded Pod::Simple to version 3.14 to get an improvement to \C\<\< \>\> parsing.

  • We made a small fix to the CPANPLUS test suite to fix an occasional spurious test failure.

  • We upgraded Safe to version 2.27 to wrap coderefs returned by reval() and rdo().

Changes to Existing Documentation

  • We added the new maintenance release policy to perlpolicy.pod

  • We've clarified the multiple-angle-bracket construct in the spec for POD in perlpodspec

  • We added a missing explanation for a warning about := to perldiag.pod

  • We removed a false claim in perlunitut that all text strings are Unicode strings in Perl.

  • We updated the Github mirror link in perlrepository to mirrors/perl, not github/perl

  • We fixed a minor error in perl5114delta.pod.

  • We replaced a mention of the now-obsolete Switch.pm with given/when.

  • We improved documentation about $sitelibexp/sitecustomize.pl in perlrun.

  • We corrected perlmodlib.pod which had unintentionally omitted a number of modules.

  • We updated the documentation for 'require' in perlfunc.pod relating to putting Perl code in @INC.

  • We reinstated some erroneously-removed documentation about quotemeta in perlfunc.

  • We fixed an a2p example in perlutil.pod.

  • We filled in a blank in perlport.pod with the release date of Perl 5.12.

  • We fixed broken links in a number of perldelta files.

  • The documentation for Carp.pm incorrectly stated that the $Carp::Verbose variable makes cluck generate stack backtraces.

  • We fixed a number of typos in Pod::Functions

  • We improved documentation of case-changing functions in perlfunc.pod

  • We corrected perlgpl.pod to contain the correct version of the GNU General Public License.

Testing

Testing Improvements

  • t/op/sselect.t is now less prone to clock jitter during timing checks on Windows.

    sleep() time on Win32 may be rounded down to multiple of the clock tick interval.

  • lib/blib.t and lib/locale.t: Fixes for test failures on Darwin/PPC

  • perl5db.t: Fix for test failures when Term::ReadLine::Gnu is installed.

Installation and Configuration Improvements

Configuration improvements

  • We updated INSTALL with notes about how to deal with broken dbm.h on OpenSUSE (and possibly other platforms)

Bug Fixes

Platform Specific Notes

HP-UX

  • Perl now allows -Duse64bitint without promoting to use64bitall on HP-UX

AIX

  • Perl now builds on AIX 4.2

    The changes required work around AIX 4.2s' lack of support for IPv6, and limited support for POSIX sigaction().

FreeBSD 7

  • FreeBSD 7 no longer contains /usr/bin/objformat. At build time, Perl now skips the objformat check for versions 7 and higher and assumes ELF.

VMS

  • It's now possible to build extensions on older (pre 7.3-2) VMS systems.

    DCL symbol length was limited to 1K up until about seven years or so ago, but there was no particularly deep reason to prevent those older systems from configuring and building Perl.

  • We fixed the previously-broken -Uuseperlio build on VMS.

    We were checking a variable that doesn't exist in the non-default case of disabling perlio. Now we only look at it when it exists.

  • We fixed the -Uuseperlio command-line option in configure.com.

    Formerly it only worked if you went through all the questions interactively and explicitly answered no.

Known Problems

  • List::Util::first misbehaves in the presence of a lexical $_ (typically introduced by my $_ or implicitly by given). The variable which gets set for each iteration is the package variable $_, not the lexical $_.

    A similar issue may occur in other modules that provide functions which take a block as their first argument, like

    foo { ... $_ ...} list

    See also: http://rt.perl.org/rt3/Public/Bug/Display.html?id=67694

  • Module::Load::Conditional and version have an unfortunate interaction which can cause CPANPLUS to crash when it encounters an unparseable version string. Upgrading to CPANPLUS 0.9004 or Module::Load::Conditional 0.38 from CPAN will resolve this issue.

Acknowledgements

Perl 5.12.1 represents approximately four weeks of development since Perl 5.12.0 and contains approximately 4,000 lines of changes across 142 files from 28 authors.

Perl continues to flourish into its third decade thanks to a vibrant community of users and developers. The following people are known to have contributed the improvements that became Perl 5.12.1:

Ævar Arnfjörð Bjarmason, Chris Williams, chromatic, Craig A. Berry, David Golden, Father Chrysostomos, Florian Ragwitz, Frank Wiegand, Gene Sullivan, Goro Fuji, H.Merijn Brand, James E Keenan, Jan Dubois, Jesse Vincent, Josh ben Jore, Karl Williamson, Leon Brocard, Michael Schwern, Nga Tang Chan, Nicholas Clark, Niko Tyni, Philippe Bruhat, Rafael Garcia-Suarez, Ricardo Signes, Steffen Mueller, Todd Rinaldo, Vincent Pit and Zefram.

Reporting Bugs

If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at http://rt.perl.org/perlbug/ . There may also be information at http://www.perl.org/ , the Perl Home Page.

If you believe you have an unreported bug, please run the perlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to perlbug@perl.org to be analysed by the Perl porting team.

If the bug you are reporting has security implications, which make it inappropriate to send to a publicly archived mailing list, then please send it to perl5-security-report@perl.org. This points to a closed subscription unarchived mailing list, which includes all the core committers, who will be able to help assess the impact of issues, figure out a resolution, and help co-ordinate the release of patches to mitigate or fix the problem across all platforms on which Perl is supported. Please only use this address for security issues in the Perl core, not for modules independently distributed on CPAN.

SEE ALSO

The Changes file for an explanation of how to view exhaustive details on what changed.

The INSTALL file for how to build Perl.

The README file for general stuff.

The Artistic and Copying files for copyright information.