Security Advisories (4)

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

NAME

perldelta - what is new for perl v5.29.10

DESCRIPTION

This document describes differences between the 5.29.9 release and the 5.29.10 release.

If you are upgrading from an earlier release such as 5.29.8, first read perl5299delta, which describes differences between 5.29.8 and 5.29.9.

Core Enhancements

Perl now supports draft Unicode 12.1

Unicode 12.1 differs from 12.0 only in the addition of a single character, that for the new Japanese era name. The intent is to ship Perl 5.30 with Unicode 12.1. The final release of 12.1 is scheduled for May 7, 2019. Hopefully, there won't be any code changes to the draft after the release of Perl 5.29.10.

Modules and Pragmata

Updated Modules and Pragmata

Data::Dumper has been upgraded from version 2.173 to 2.174.

Data::Dumper now avoids leak when croaking.
ExtUtils::CBuilder has been upgraded from version 0.280230 to 0.280231.
File::Spec has been upgraded from version 3.77 to 3.78.

Silence Cwd warning on Android builds if targetsh is not defined.
I18N::Langinfo has been upgraded from version 0.17 to 0.18.
Module::CoreList has been upgraded from version 5.20190320 to 5.20190420.
Module::Metadata has been upgraded from version 1.000033 to 1.000036.

Properly clean up temporary directories after testing.
POSIX has been upgraded from version 1.87 to 1.88.
Storable has been upgraded from version 3.14 to 3.15.

Platform Support

Platform-Specific Notes

Windows

Support for compiling perl on Windows using Microsoft Visual Studio 2019 (containing Visual C++ 14.2) has been added.

Internal Changes

A new function "my_strtod" in perlapi or its synonym, Strtod(), is now available with the same signature as the libc strtod(). It provides strotod() equivalent behavior on all platforms, using the best available precision, depending on platform capabilities and Configure options, while handling locale-related issues, such as if the radix character should be a dot or comma.

Selected Bug Fixes

Perl now exposes POSIX getcwd as Internals::getcwd() if available. This is intended for use by Cwd.pm during bootstrapping and may be removed or changed without notice. This fixes some bootstrapping issues while building perl in a directory where some ancestor directory isn't readable. [perl #133951]

Errata From Previous Releases

The perldelta for 5.29.9 listed the enhancement about regular expression lookbehind in the Security section rather than the Core Enhancements section. Its title should also have indicated that it is "Limited" variable-length lookbehind (up to 255 characters). (Note that a technique has now been published to achieve arbitrary variable length lookbehind with pre-existing Perl constructs and is linked to in perlre. It is http://www.drregex.com/2019/02/variable-length-lookbehinds-actually.html.)

Acknowledgements

Perl 5.29.10 represents approximately 4 weeks of development since Perl 5.29.9 and contains approximately 29,000 lines of changes across 230 files from 19 authors.

Excluding auto-generated files, documentation and release tools, there were approximately 21,000 lines of changes to 98 .pm, .t, .c and .h files.

Perl continues to flourish into its fourth decade thanks to a vibrant community of users and developers. The following people are known to have contributed the improvements that became Perl 5.29.10:

Alberto Simões, Brian Greenfield, Dan Book, David Mitchell, Ed J, Hugo van der Sanden, James E Keenan, Karen Etheridge, Karl Williamson, Niko Tyni, Richard Leach, Sawyer X, Sisyphus, Steve Hay, Tomasz Konojacki, Tom Wyant, Tony Cook, Unicode Consortium, Zak B. Elep.

The list above is almost certainly incomplete as it is automatically generated from version control history. In particular, it does not include the names of the (very much appreciated) contributors who reported issues to the Perl bug tracker.

Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community for helping Perl to flourish.

For a more complete list of all of Perl's historical contributors, please see the AUTHORS file in the Perl source distribution.

Reporting Bugs

If you find what you think is a bug, you might check the perl bug database at https://rt.perl.org/. There may also be information at http://www.perl.org/, the Perl Home Page.

If you believe you have an unreported bug, please run the perlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to perlbug@perl.org to be analysed by the Perl porting team.

If the bug you are reporting has security implications which make it inappropriate to send to a publicly archived mailing list, then see "SECURITY VULNERABILITY CONTACT INFORMATION" in perlsec for details of how to report the issue.

Give Thanks

If you wish to thank the Perl 5 Porters for the work we had done in Perl 5, you can do so by running the perlthanks program:

perlthanks

This will send an email to the Perl 5 Porters list with your show of thanks.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)