perl5224cdelta - what is new for cperl v5.22.4
This document describes perl-only differences between the cperl 5.22.3 release and the cperl 5.22.4 release.
For cperl also see Changes and perlcperl
Replace all % characters in user-controlled library filenames, passed via the system dl_error call verbatim to printf, without any arguments on the stack, which could lead to execution of arbitrary stack code. No CVE. This affects all systems with dynamic loading where the attacker can cause a dynamic loading error.
CVSSv2 Severity: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:H/IR:H/AR:ND)
In deviation from Unicode 1.1 we treat the two HANGUL FILLER characters +UFFA0 and +U3164 not as valid ID_Start and ID_Continue characters for perl identifiers. Variable and package names may not begin with them and may not contain them.
They are usually rendered as whitespace, and would lead to classic TR39 confusables. See https://github.com/jagracey/Awesome-Unicode#user-content-variable-identifiers-can-effectively-include-whitespace and http://www.unicode.org/reports/tr39/.
In a more Korean friendly environment, we could check for a ID_Start Hangul filler if the next character is a valid Hangul ID_Continue character, and allow it then. Ditto for a ID_Continue Hangul filler if the previous and next character is a valid Hangul ID_Start or ID_Continue character, and allow it then. But those fillers should be treated as whitespace, and should be ignored.
http://www.unicode.org/L2/L2006/06310-hangul-decompose9.pdf explains:
The two other hangul fillers HANGUL CHOSEONG FILLER (Lf), i.e. lead filler, and HANGUL JUNGSEONG FILLER (Vf) are used as placeholders for missing letters, where there should be at least one letter.
... that leaves the (HALFWIDTH) HANGUL FILLERs useless. Indeed, they should not be rendered at all, despite that they have been given the property Lo. Note that these FILLERs are also given the property of Default_Ignorable_Codepoint.
Note that the standard normal forms NFKD and NFKC ... return (in all views) incorrect results for strings containing these characters.
Many Windows and cygwin fixes, for the old MSVC compiler, and PERL_CORE test integration. Use many new core exports needed for windows.
Update perlcc to 2.21, handle multiple -I and -L arguments.
Handle cperl OP_SIGNATURE.
Fix refcount of cop hints hashes with 5.22-nt [cperl #220]
Better UVX L and U suffices.
Handle shared IV and UV xpv structs, fixed 5.24 specific assertions, with shared xpviv/xpvuv. fixed wrong 32 bit ptr offset. re-enabled all 32bit tests.
Handle changed subdirs-test target with newer EUMM.
Add more cperl-specific ops: aelem*_u, u_{add,subtract,multiply}, {i,n,s}_aelem{,_u}
cperl patches. Add tests for 5.22 and 5.24. Support some multi-line keys: ccflags ldflags lddlflags Changed tests to use done_testing().
Improve error message with class based method calls, when forgetting ->new. [#66]
Fix a off-by-one IV_MIN -> NV overflow in decode_json. [#67] (xdg)
Avoid encode_sv SEGV with -Dusequadmath. [#62] Fix quadmath NV stringification.
Preserve numbers as numbers, enforce an added .0 (xdg). Also note that 42+"bar" will result >=5.10 in numbers not integers, => 42.0
Support the latest versions.
cperl specific: Minor -Dfortify_inc fixes, kept our Hv macros, fix __attribute__((warn_unused_result)) on windows.
Silence some CC warnings
Fix my to our $XS_VERSION
Check for max length before derefing by length (jhi) RT #111707
See "DynaLoader format string hardening" above.
Silence some CC warnings, add changelog.
Silence some CC warnings, esp. on 32bit.
Improvements from cperl-5.24:
-fix for readonly Makefile.PL (in core src tarballs)
-fix wrong SKIP headers
-skip in core make regen tests (--tap)
-more 5.24 and cperl keys
-silence unused classname compiler warning
-link to Mock::Config in the docs to temp. write to %Config
in tests.
-Dfortify_inc fixes-regen the XSConfig.t/Config_xs.PL key lists
-remove now generated/range operator-ed config_arg keys from XSConfig.t they are redundant
-add common keys d_memmem d_uselocale d_freelocale d_newlocale to CPAN
-clean build product Config_xs_tmp.in
-PERL_UNUSED_ARG fix for 5.8.7
-Silence some CC warnings.
With our Net::Domain patch for darwin. Improved utf8 and ipv6 support.
Now based on Pod::Simple, not on Pod::Parser anymore. dos2unix
Silence some CC warnings.
Improve d_u32align diagnostic message
Fixed regression from 5.22.1c for windows.
Added a make archclean target for POSIX platforms, which does not require a new Configure call.
Fixed a couple of quadmath detection issues.
Changes which affect the interface available to XS code go here. Other significant internal changes for future core maintainers should be noted as well.
SvREADONLY_off(sv) is only usable as statement, not as expression anymore. It broke Sun C 5.12, in ByteLoader. See [cperl #183].
Known bug upstream, not fixed there. This problem appears more often with cperl with its protected coretypes than upstream.
Also do not treat %: as a stash.
Fedora Patches 37, 36.
Fedora Patch35
Fedora Patch34
Fedora Patch32
E.g. when use re 'strict'; is used.
Fedora Patch31
With many backref groups (>I32)
Handle get magic with globs in the regex compiler. Correctly restore context, esp. when loading unicode swashes. Reported at 5.12, patched for suse 5.14, still ignored with 5.24.
A race condition which occurred when computing "$!" with threads activated has been fixed. This showed up only on Darwin platforms. A related problem on Cygwin platforms involving UTF-8 strings has also been fixed. See RT #127708
See RT #128204
See RT #63244 or http://bugs.debian.org/164615, crashes from 5.8.8 to blead.
env PERLIO=stdio perl -e'open(F, "<&STDOUT")' 1</dev/null
See RT #128597.
open my $fh, ">", \$buf; my $sub = eval q|sub {die}|; $sub->()' crashed in 5.22 to 5.24.1.
5.18 which added newSTUB, did not take into account that a GV may have a null GvSTASH pointer, if its stash has been freed, so this crashed. See RT #128532.
delete $My::{"Foo::"}; \&My::Foo::foo crashed from 5.18 to 5.24.1.
cperl 5.22.4 represents approximately 2 months of development since cperl 5.22.3 and contains approximately 900,000 lines of changes across 570 files from 13 authors.
Excluding auto-generated files, documentation and release tools, there were approximately 7,900 lines of changes to 120 .pm, .t, .c and .h files.
The following people are known to have contributed the improvements that became cperl 5.22.4:
Reini Urban, Father Chrysostomos, Karl Williamson, David Mitchell, Daniel Dragan, Tony Cook, Lukas Mai, Niko Tyni, H.Merijn Brand, Hugo van der Sanden, Dagfinn Ilmari Mannsåker, Aaron Crane, Dan Collins.
The list above is almost certainly incomplete as it is automatically generated from version control history. In particular, it does not include the names of the (very much appreciated) contributors who reported issues to the Perl bug tracker.
Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community for helping Perl to flourish.
For a more complete list of all of Perl's historical contributors, please see the AUTHORS file in the Perl source distribution.
If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at https://rt.perl.org/ . There may also be information at http://www.perl.org/ , the Perl Home Page.
If you believe you have an unreported bug, please run the perlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to perlbug@perl.org to be analysed by the Perl porting team.
If you think it's a cperl specific bug or trust the cperl developers more please file an issue at https://github.com/perl11/cperl/issues.
If the bug you are reporting has security implications, which make it inappropriate to send to a publicly archived mailing list, then please send it to perl5-security-report@perl.org. This points to a closed subscription unarchived mailing list, which includes all the core committers, who will be able to help assess the impact of issues, figure out a resolution, and help co-ordinate the release of patches to mitigate or fix the problem across all platforms on which Perl is supported. Please only use this address for security issues in the Perl core, not for modules independently distributed on CPAN.
If you trust the cperl developers more, please send an email to them. The p5p security teams skips many security issues, or are unwilling to fix them.
The Changes file for an explanation of how to view exhaustive details on what changed.
The INSTALL file for how to build Perl.
The README file for general stuff.
The Artistic and Copying files for copyright information.