perl5243delta - what is new for perl v5.24.3
This document describes differences between the 5.24.2 release and
the 5.24.3 release.
If you are upgrading from an earlier release such as 5.24.1, first
read perl5242delta, which describes differences between 5.24.1 and
5.24.2.
[CVE-2017-12837] Heap buffer overflow in regular expression
compiler
Compiling certain regular expression patterns with the
case-insensitive modifier could cause a heap buffer overflow and crash perl.
This has now been fixed. [perl #131582]
<https://rt.perl.org/Public/Bug/Display.html?id=131582>
[CVE-2017-12883] Buffer over-read in regular expression
parser
For certain types of syntax error in a regular expression pattern,
the error message could either contain the contents of a random, possibly
large, chunk of memory, or could crash perl. This has now been fixed. [perl
#131598] <https://rt.perl.org/Public/Bug/Display.html?id=131598>
[CVE-2017-12814] $ENV{$key} stack buffer overflow on Windows
A possible stack buffer overflow in the
%ENV code on Windows has been fixed by removing the
buffer completely since it was superfluous anyway. [perl #131665]
<https://rt.perl.org/Public/Bug/Display.html?id=131665>
There are no changes intentionally incompatible with 5.24.2. If
any exist, they are bugs, and we request that you submit a report. See
"Reporting Bugs" below.
- When building with GCC 6 and link-time optimization (the -flto
option to gcc), Configure was treating all probed symbols as
present on the system, regardless of whether they actually exist. This has
been fixed. [perl #128131]
<https://rt.perl.org/Public/Bug/Display.html?id=128131>
- Configure now aborts if both
"-Duselongdouble" and
"-Dusequadmath" are requested. [perl
#126203]
<https://rt.perl.org/Public/Bug/Display.html?id=126203>
- Fixed a bug in which Configure could append
"-quadmath" to the archname even if it
was already present. [perl #128538]
<https://rt.perl.org/Public/Bug/Display.html?id=128538>
- Clang builds with "-DPERL_GLOBAL_STRUCT"
or "-DPERL_GLOBAL_STRUCT_PRIVATE" have
been fixed (by disabling Thread Safety Analysis for these
configurations).
- VMS
- •
- "configure.com" now recognizes the
VSI-branded C compiler.
- Windows
- •
- Building XS modules with GCC 6 in a 64-bit build of Perl failed due to
incorrect mapping of "strtoll" and
"strtoull". This has now been fixed.
[perl #131726]
<https://rt.perl.org/Public/Bug/Display.html?id=131726> [cpan
#121683] <https://rt.cpan.org/Public/Bug/Display.html?id=121683>
[cpan #122353]
<https://rt.cpan.org/Public/Bug/Display.html?id=122353>
- "/@0{0*->@*/*0" and similar
contortions used to crash, but no longer do, but merely produce a syntax
error. [perl #128171]
<https://rt.perl.org/Public/Bug/Display.html?id=128171>
- "do" or
"require" with an argument which is a
reference or typeglob which, when stringified, contains a null character,
started crashing in Perl 5.20, but has now been fixed. [perl #128182]
<https://rt.perl.org/Public/Bug/Display.html?id=128182>
- Expressions containing an "&&"
or "||" operator (or their synonyms
"and" and
"or") were being compiled incorrectly in
some cases. If the left-hand side consisted of either a negated bareword
constant or a negated "do {}" block
containing a constant expression, and the right-hand side consisted of a
negated non-foldable expression, one of the negations was effectively
ignored. The same was true of "if" and
"unless" statement modifiers, though
with the left-hand and right-hand sides swapped. This long-standing bug
has now been fixed. [perl #127952]
<https://rt.perl.org/Public/Bug/Display.html?id=127952>
- "reset" with an argument no longer
crashes when encountering stash entries other than globs. [perl #128106]
<https://rt.perl.org/Public/Bug/Display.html?id=128106>
- Assignment of hashes to, and deletion of, typeglobs named
*:::::: no longer causes crashes. [perl #128086]
<https://rt.perl.org/Public/Bug/Display.html?id=128086>
- Assignment variants of any bitwise ops under the
"bitwise" feature would crash if the
left-hand side was an array or hash. [perl #128204]
<https://rt.perl.org/Public/Bug/Display.html?id=128204>
- "socket" now leaves the error code
returned by the system in $! on failure. [perl
#128316]
<https://rt.perl.org/Public/Bug/Display.html?id=128316>
- Parsing bad POSIX charclasses no longer leaks memory. [perl #128313]
<https://rt.perl.org/Public/Bug/Display.html?id=128313>
- Since Perl 5.20, line numbers have been off by one when perl is invoked
with the -x switch. This has been fixed. [perl #128508]
<https://rt.perl.org/Public/Bug/Display.html?id=128508>
- Some obscure cases of subroutines and file handles being freed at the same
time could result in crashes, but have been fixed. The crash was
introduced in Perl 5.22. [perl #128597]
<https://rt.perl.org/Public/Bug/Display.html?id=128597>
- Some regular expression parsing glitches could lead to assertion failures
with regular expressions such as
"/(?<=/" and
"/(?<!/". This has now been fixed.
[perl #128170]
<https://rt.perl.org/Public/Bug/Display.html?id=128170>
- "gethostent" and similar functions now
perform a null check internally, to avoid crashing with the torsocks
library. This was a regression from Perl 5.22. [perl #128740]
<https://rt.perl.org/Public/Bug/Display.html?id=128740>
- Mentioning the same constant twice in a row (which is a syntax error) no
longer fails an assertion under debugging builds. This was a regression
from Perl 5.20. [perl #126482]
<https://rt.perl.org/Public/Bug/Display.html?id=126482>
- In Perl 5.24 "fchown" was changed not to
accept negative one as an argument because in some platforms that is an
error. However, in some other platforms that is an acceptable argument.
This change has been reverted. [perl #128967]
<https://rt.perl.org/Public/Bug/Display.html?id=128967>.
- "@{x" followed by a newline where
"x" represents a control or non-ASCII
character no longer produces a garbled syntax error message or a crash.
[perl #128951]
<https://rt.perl.org/Public/Bug/Display.html?id=128951>
- A regression in Perl 5.24 with
"tr/\N{U+...}/foo/" when the code point
was between 128 and 255 has been fixed. [perl #128734]
<https://rt.perl.org/Public/Bug/Display.html?id=128734>.
- Many issues relating to "printf
"%a"" of hexadecimal floating point were fixed. In
addition, the "subnormals" (formerly known as
"denormals") floating point numbers are now supported both with
the plain IEEE 754 floating point numbers (64-bit or 128-bit) and the x86
80-bit "extended precision". Note that subnormal hexadecimal
floating point literals will give a warning about "exponent
underflow". [perl #128843]
<https://rt.perl.org/Public/Bug/Display.html?id=128843> [perl
#128888] <https://rt.perl.org/Public/Bug/Display.html?id=128888>
[perl #128889]
<https://rt.perl.org/Public/Bug/Display.html?id=128889> [perl
#128890] <https://rt.perl.org/Public/Bug/Display.html?id=128890>
[perl #128893]
<https://rt.perl.org/Public/Bug/Display.html?id=128893> [perl
#128909] <https://rt.perl.org/Public/Bug/Display.html?id=128909>
[perl #128919]
<https://rt.perl.org/Public/Bug/Display.html?id=128919>
- The parser could sometimes crash if a bareword came after
"evalbytes". [perl #129196]
<https://rt.perl.org/Public/Bug/Display.html?id=129196>
- Fixed a place where the regex parser was not setting the syntax error
correctly on a syntactically incorrect pattern. [perl #129122]
<https://rt.perl.org/Public/Bug/Display.html?id=129122>
- A vulnerability in Perl's "sprintf"
implementation has been fixed by avoiding a possible memory wrap. [perl
#131260]
<https://rt.perl.org/Public/Bug/Display.html?id=131260>
Perl 5.24.3 represents approximately 2 months of development since
Perl 5.24.2 and contains approximately 3,200 lines of changes across 120
files from 23 authors.
Excluding auto-generated files, documentation and release tools,
there were approximately 1,600 lines of changes to 56 .pm, .t, .c and .h
files.
Perl continues to flourish into its third decade thanks to a
vibrant community of users and developers. The following people are known to
have contributed the improvements that became Perl 5.24.3:
Aaron Crane, Craig A. Berry, Dagfinn Ilmari Mannsåker, Dan
Collins, Daniel Dragan, Dave Cross, David Mitchell, Eric Herman, Father
Chrysostomos, H.Merijn Brand, Hugo van der Sanden, James E Keenan, Jarkko
Hietaniemi, John SJ Anderson, Karl Williamson, Ken Brown, Lukas Mai, Matthew
Horsfall, Stevan Little, Steve Hay, Steven Humphrey, Tony Cook, Yves
Orton.
The list above is almost certainly incomplete as it is
automatically generated from version control history. In particular, it does
not include the names of the (very much appreciated) contributors who
reported issues to the Perl bug tracker.
Many of the changes included in this version originated in the
CPAN modules included in Perl's core. We're grateful to the entire CPAN
community for helping Perl to flourish.
For a more complete list of all of Perl's historical contributors,
please see the AUTHORS file in the Perl source distribution.
If you find what you think is a bug, you might check the articles
recently posted to the comp.lang.perl.misc newsgroup and the perl bug
database at <https://rt.perl.org/> . There may also be information at
<http://www.perl.org/> , the Perl Home Page.
If you believe you have an unreported bug, please run the perlbug
program included with your release. Be sure to trim your bug down to a tiny
but sufficient test case. Your bug report, along with the output of
"perl -V", will be sent off to
perlbug@perl.org to be analysed by the Perl porting team.
If the bug you are reporting has security implications which make
it inappropriate to send to a publicly archived mailing list, then see
"SECURITY VULNERABILITY CONTACT INFORMATION" in perlsec for
details of how to report the issue.
The Changes file for an explanation of how to view
exhaustive details on what changed.
The INSTALL file for how to build Perl.
The README file for general stuff.
The Artistic and Copying files for copyright
information.