"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "pod/perldelta.pod" between
perl-5.28.2.tar.xz and perl-5.28.3.tar.xz

About: Perl (Practical Extraction and Report Language) is a high-level, general-purpose, interpreted, dynamic programming language. Stable release.

[ To the main perl source changes report ]

perldelta.pod  (perl-5.28.2.tar.xz):perldelta.pod  (perl-5.28.3.tar.xz)
=encoding utf8 =encoding utf8
=head1 NAME =head1 NAME
perldelta - what is new for perl v5.28.2 perldelta - what is new for perl v5.28.3
=head1 DESCRIPTION =head1 DESCRIPTION
This document describes differences between the 5.28.1 release and the 5.28.2 This document describes differences between the 5.28.2 release and the 5.28.3
release. release.
If you are upgrading from an earlier release such as 5.28.0, first read If you are upgrading from an earlier release such as 5.28.1, first read
L<perl5281delta>, which describes differences between 5.28.0 and 5.28.1. L<perl5282delta>, which describes differences between 5.28.1 and 5.28.2.
=head1 Incompatible Changes =head1 Security
=head2 Any set of digits in the Common script are legal in a script run of
another script
There are several sets of digits in the Common script. C<[0-9]> is the most
familiar. But there are also C<[\x{FF10}-\x{FF19}]> (FULLWIDTH DIGIT ZERO -
FULLWIDTH DIGIT NINE), and several sets for use in mathematical notation, such
as the MATHEMATICAL DOUBLE-STRUCK DIGITs. Any of these sets should be able to
appear in script runs of, say, Greek. But the previous design overlooked all
but the ASCII digits C<[0-9]>, so the design was flawed. This has been fixed,
so is both a bug fix and an incompatibility.
All digits in a run still have to come from the same set of ten digits. =head2 [CVE-2020-10543] Buffer overflow caused by a crafted regular expression
L<[perl #133547]|https://rt.perl.org/Ticket/Display.html?id=133547>
=head1 Modules and Pragmata
=head2 Updated Modules and Pragmata A signed C<size_t> integer overflow in the storage space calculations for
nested regular expression quantifiers could cause a heap buffer overflow in
Perl's regular expression compiler that overwrites memory allocated after the
regular expression storage space with attacker supplied data.
=over 4 The target system needs a sufficient amount of memory to allocate partial
expansions of the nested quantifiers prior to the overflow occurring. This
requirement is unlikely to be met on 64-bit systems.
=item * Discovered by: ManhND of The Tarantula Team, VinCSS (a member of Vingroup).
L<Module::CoreList> has been upgraded from version 5.20181129_28 to 5.20190419. =head2 [CVE-2020-10878] Integer overflow via malformed bytecode produced by a cr afted regular expression
=item * Integer overflows in the calculation of offsets between instructions for the
regular expression engine could cause corruption of the intermediate language
state of a compiled regular expression. An attacker could abuse this behaviour
to insert instructions into the compiled form of a Perl regular expression.
L<PerlIO::scalar> has been upgraded from version 0.29 to 0.30. Discovered by: Hugo van der Sanden and Slaven Rezic.
=item * =head2 [CVE-2020-12723] Buffer overflow caused by a crafted regular expression
L<Storable> has been upgraded from version 3.08 to 3.08_01. Recursive calls to C<S_study_chunk()> by Perl's regular expression compiler to
optimize the intermediate language representation of a regular expression could
cause corruption of the intermediate language state of a compiled regular
expression.
=back Discovered by: Sergey Aleynikov.
=head1 Platform Support =head2 Additional Note
=head2 Platform-Specific Notes An application written in Perl would only be vulnerable to any of the above
flaws if it evaluates regular expressions supplied by the attacker. Evaluating
regular expressions in this fashion is known to be dangerous since the regular
expression engine does not protect against denial of service attacks in this
usage scenario.
=over 4 =head1 Incompatible Changes
=item Windows
The Windows Server 2003 SP1 Platform SDK build, with its early x64 compiler and
tools, was accidentally broken in Perl 5.27.9. This has now been fixed.
=item Mac OS X
Perl's build and testing process on Mac OS X for C<-Duseshrplib> builds is now
compatible with Mac OS X System Integrity Protection (SIP).
SIP prevents binaries in F</bin> (and a few other places) being passed the
C<DYLD_LIBRARY_PATH> environment variable. For our purposes this prevents
C<DYLD_LIBRARY_PATH> from being passed to the shell, which prevents that
variable being passed to the testing or build process, so running C<perl>
couldn't find F<libperl.dylib>.
To work around that, the initial build of the F<perl> executable expects to
find F<libperl.dylib> in the build directory, and the library path is then
adjusted during installation to point to the installed library.
L<[perl #126706]|https://rt.perl.org/Ticket/Display.html?id=126706> There are no changes intentionally incompatible with Perl 5.28.2. If any
exist, they are bugs, and we request that you submit a report. See
L</Reporting Bugs> below.
=back =head1 Modules and Pragmata
=head1 Selected Bug Fixes =head2 Updated Modules and Pragmata
=over 4 =over 4
=item * =item *
If an in-place edit is still in progress during global destruction and the L<Module::CoreList> has been upgraded from version 5.20190419 to 5.20200601_28.
process exit code (as stored in C<$?>) is zero, perl will now treat the
in-place edit as successful, replacing the input file with any output produced.
This allows code like: =back
perl -i -ne 'print "Foo"; last'
to replace the input file, while code like:
perl -i -ne 'print "Foo"; die'
will not. Partly resolves [perl #133659].
L<[perl #133659]|https://rt.perl.org/Ticket/Display.html?id=133659>
=item *
A regression in Perl 5.28 caused the following code to fail
close(STDIN); open(CHILD, "|wc -l")'
because the child's stdin would be closed on exec. This has now been fixed.
=item *
C<pack "u", "invalid uuencoding"> now properly NUL terminates the zero-length
SV produced.
L<[perl #132655]|https://rt.perl.org/Ticket/Display.html?id=132655>
=item *
Failing to compile a format now aborts compilation. Like other errors in
sub-parses this could leave the parser in a strange state, possibly crashing
perl if compilation continued.
L<[perl #132158]|https://rt.perl.org/Ticket/Display.html?id=132158>
=item *
See L</Any set of digits in the Common script are legal in a script run of =head1 Testing
another script>.
=back Tests were added and changed to reflect the other additions and changes in this
release.
=head1 Acknowledgements =head1 Acknowledgements
Perl 5.28.2 represents approximately 4 months of development since Perl 5.28.1 Perl 5.28.3 represents approximately 13 months of development since Perl 5.28.2
and contains approximately 2,500 lines of changes across 75 files from 13 and contains approximately 3,100 lines of changes across 48 files from 16
authors. authors.
Excluding auto-generated files, documentation and release tools, there were Excluding auto-generated files, documentation and release tools, there were
approximately 1,200 lines of changes to 29 .pm, .t, .c and .h files. approximately 1,700 lines of changes to 9 .pm, .t, .c and .h files.
Perl continues to flourish into its fourth decade thanks to a vibrant community Perl continues to flourish into its fourth decade thanks to a vibrant community
of users and developers. The following people are known to have contributed of users and developers. The following people are known to have contributed
the improvements that became Perl 5.28.2: the improvements that became Perl 5.28.3:
Aaron Crane, Abigail, Andy Dougherty, David Mitchell, Karen Etheridge, Karl Chris 'BinGOs' Williams, Dan Book, Hugo van der Sanden, James E Keenan, John
Williamson, Leon Timmermans, Nicolas R., Sawyer X, Steve Hay, Tina Müller, Lightsey, Karen Etheridge, Karl Williamson, Matthew Horsfall, Max Maischein,
Tony Cook, Zak B. Elep. Nicolas R., Renee Baecker, Sawyer X, Steve Hay, Tom Hukins, Tony Cook, Zak B.
Elep.
The list above is almost certainly incomplete as it is automatically generated The list above is almost certainly incomplete as it is automatically generated
from version control history. In particular, it does not include the names of from version control history. In particular, it does not include the names of
the (very much appreciated) contributors who reported issues to the Perl bug the (very much appreciated) contributors who reported issues to the Perl bug
tracker. tracker.
Many of the changes included in this version originated in the CPAN modules Many of the changes included in this version originated in the CPAN modules
included in Perl's core. We're grateful to the entire CPAN community for included in Perl's core. We're grateful to the entire CPAN community for
helping Perl to flourish. helping Perl to flourish.
For a more complete list of all of Perl's historical contributors, please see For a more complete list of all of Perl's historical contributors, please see
the F<AUTHORS> file in the Perl source distribution. the F<AUTHORS> file in the Perl source distribution.
=head1 Reporting Bugs =head1 Reporting Bugs
If you find what you think is a bug, you might check the perl bug database If you find what you think is a bug, you might check the perl bug database at
at L<https://rt.perl.org/> . There may also be information at L<https://github.com/Perl/perl5/issues>. There may also be information at
L<http://www.perl.org/> , the Perl Home Page. L<https://www.perl.org/>, the Perl Home Page.
If you believe you have an unreported bug, please run the L<perlbug> program If you believe you have an unreported bug, please open an issue at
included with your release. Be sure to trim your bug down to a tiny but L<https://github.com/Perl/perl5/issues>. Be sure to trim your bug down to a
sufficient test case. Your bug report, along with the output of C<perl -V>, tiny but sufficient test case.
will be sent off to perlbug@perl.org to be analysed by the Perl porting team.
If the bug you are reporting has security implications which make it If the bug you are reporting has security implications which make it
inappropriate to send to a publicly archived mailing list, then see inappropriate to send to a public issue tracker, then see
L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION> L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION> for details of how to
for details of how to report the issue. report the issue.
=head1 Give Thanks =head1 Give Thanks
If you wish to thank the Perl 5 Porters for the work we had done in Perl 5, If you wish to thank the Perl 5 Porters for the work we had done in Perl 5, you
you can do so by running the C<perlthanks> program: can do so by running the C<perlthanks> program:
perlthanks perlthanks
This will send an email to the Perl 5 Porters list with your show of thanks. This will send an email to the Perl 5 Porters list with your show of thanks.
=head1 SEE ALSO =head1 SEE ALSO
The F<Changes> file for an explanation of how to view exhaustive details on The F<Changes> file for an explanation of how to view exhaustive details on
what changed. what changed.
 End of changes. 31 change blocks. 
118 lines changed or deleted 63 lines changed or added
To the POD Documents section of the perl source changes report or the top of this page
Mainly generated by pkgdiff using rfcdiff
Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)