Security Advisories (20)

CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

NAME

perl5114delta - what is new for perl v5.11.4

DESCRIPTION

This document describes differences between the 5.11.3 release and the 5.11.4 release.

If you are upgrading from an earlier release such as 5.11.2, first read perl5113delta, which describes differences between 5.11.2 and 5.11.3.

Incompatible Changes

Version number formats

Acceptable version number formats have been formalized into "strict" and "lax" rules. package NAME VERSION takes a strict version number. use NAME VERSION takes a lax version number. UNIVERSAL::VERSION and the version object constructors take lax version numbers. Providing an invalid version will result in a fatal error.

These formats will be documented fully in the version module in a subsequent release of Perl 5.11. To a first approximation, a "strict" version number is a positive decimal number (integer or decimal-fraction) without exponentiation or else a dotted-decimal v-string with a leading 'v' character and at least three components. A "lax" version number allows v-strings with fewer than three components or without a leading 'v'. Under "lax" rules, both decimal and dotted-decimal versions may have a trailing "alpha" component separated by an underscore character after a fractional or dotted-decimal component.

The version module adds version::is_strict and version::is_lax functions to check a scalar against these rules.

Core Enhancements

Unicode properties

\p{XDigit} now matches the same characters as \p{Hex_Digit}. This means that in addition to the characters it currently matches, [A-Fa-f0-9], it will also match their fullwidth equivalent forms, for example U+FF10: FULLWIDTH DIGIT ZERO.

Modules and Pragmata

Pragmata Changes

less

Upgraded from version 0.02 to 0.03.

This version introduces the stash_name method to allow subclasses of less to pick where in %^H to store their stash.

version

Upgraded from version 0.77 to 0.81.

This version adds support for "Version number formats" as described earlier in this document and in its own documentation.

warnings

Upgraded from version 1.08 to 1.09.

This version adds the illegalproto warning category. See also "New or Changed Diagnostics" for this change.

Updated Modules

Archive::Extract

Upgraded from version 0.36 to 0.38.

B::Deparse

Upgraded from version 0.93 to 0.94.

Compress::Raw::Bzip2

Upgraded from version 2.021 to 2.024.

Compress::Raw::Zlib

Upgraded from version 2.021 to 2.024.

CPAN

Upgraded from version 1.94_5301 to 1.94_54.

File::Fetch

Upgraded from version 0.22 to 0.24.

Module::Build

Upgraded from version 0.36 to 0.3603.

Safe

Upgraded from version 2.20 to 2.21.

Anonymous coderefs created in Safe containers no longer get bogus arguments passed to them, fixing RT #72068.

Removed Modules and Pragmata

Devel::DProf::V: Removed from the Perl core. Prior version was 'undef'.

Changes to Existing Documentation

A significant fraction of the core documentation has been updated to clarify the behavior of Perl's Unicode handling.

Much of the remaining core documentation has been reviewed and edited for clarity, consistent use of language, and to fix the spelling of Tom Christiansen's name.

Configuration improvements

USE_ATTRIBUTES_FOR_PERLIO is now reported in the compile-time options listed by the -V switch.

Platform Specific Changes

VMS: The default pipe buffer size on VMS has been updated to 8192 on 64-bit systems.

Selected Bug Fixes

Tie::Hash::NamedCapture::* shouldn't abort if passed bad input (RT #71828)
@_ and $_ no longer leak under threads (RT #34342 and #41138, also #70602, #70974)

New or Changed Diagnostics

New warning category illegalproto

The two warnings :

Illegal character in prototype for %s : %s
Prototype after '%c' for %s : %s

have been moved from the syntax top-level warnings category into a new first-level category, illegalproto. These two warnings are currently the only ones emitted during parsing of an invalid/illegal prototype, so one can now do

no warnings 'illegalproto';

to suppress only those, but not other syntax-related warnings. Warnings where prototypes are changed, ignored, or not met are still in the prototype category as before. (Matt S. Trout)

lvalue attribute ignored after the subroutine has been defined

This new warning is issued when one attempts to mark a subroutine as lvalue after it has been defined.

Changed Internals

Perl_magic_setmglob now knows about globs, fixing RT #71254.

Known Problems

Perl 5.11.4 is a development release leading up to Perl 5.12.0. Some notable known problems found in 5.11.4 are listed as dependencies of RT #69710, the Perl 5 version 12 meta-ticket.

Deprecations

The following items are now deprecated.

UNIVERSAL->import(): The method UNIVERSAL->import() is now deprecated. Attempting to pass import arguments to a use UNIVERSAL statement will result in a deprecation warning. (This is a less noisy version of the full deprecation warning added in 5.11.0.)

Acknowledgements

Perl 5.11.4 represents approximately one month of development since Perl 5.11.3 and contains 17682 lines of changes across 318 files from 40 authors and committers:

Abigail, Andy Dougherty, brian d foy, Chris Williams, Craig A. Berry, David Golden, David Mitchell, Father Chrysostomos, Gerard Goossen, H.Merijn Brand, Jesse Vincent, Jim Cromie, Josh ben Jore, Karl Williamson, kmx, Matt S Trout, Nicholas Clark, Niko Tyni, Paul Marquess, Philip Hazel, Rafael Garcia-Suarez, Rainer Tammer, Reini Urban, Ricardo Signes, Shlomi Fish, Tim Bunce, Todd Rinaldo, Tom Christiansen, Tony Cook, Vincent Pit, and Zefram

Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community for helping Perl to flourish.

Reporting Bugs

If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at http://rt.perl.org/perlbug/. There may also be information at http://www.perl.org/, the Perl Home Page.

If you believe you have an unreported bug, please run the perlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to perlbug@perl.org to be analyzed by the Perl porting team.

If the bug you are reporting has security implications, which make it inappropriate to send to a publicly archived mailing list, then please send it to perl5-security-report@perl.org. This points to a closed subscription unarchived mailing list, which includes all the core committers, who be able to help assess the impact of issues, figure out a resolution, and help co-ordinate the release of patches to mitigate or fix the problem across all platforms on which Perl is supported. Please only use this address for security issues in the Perl core, not for modules independently distributed on CPAN.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)