perl5241cdelta - what is new for cperl v5.24.1


This document describes perl-only differences between the cperl 5.24.0 release and the cperl 5.24.1 release.

If you are upgrading from an earlier release such as 5.22.3, first read perl5240cdelta, which describes differences between 5.22.3 and 5.24.0.


perl5.24.1 upstream was a security update to non-existing problem. cperl added PERLIO_DEBUG as optional handle to redirect DEBUGGING outout via -Dx switches to. This is only usable with DEBUGGING perls, which are not used in production, only during development. perl5.24.1 changed PERLIO_DEBUG to only be active for PerlIO debugging together with -Di.


@{ \327 \n } buffer overflows

Fixed @{ \327 \n } tokenizer failures and heap buffer overflows in sv_vcatpvfn_flags() with wrong tracking of PL_linestr, the currently parsed line buffer. This can easily lead to security relevant exploits.

[perl #128951]

eval "q" . chr(overlarge) stack overflow

In eval "q" . chr(100000000064) generating the error message Can't find string terminator "XXX"' was overrunning a local buffer designed to hold a single utf8 char, since it wasn't allowing for the \0 at the end.

[perl #128952]

Protect and warn on hash flood DoS

If the collisions for a hash key lookup exceeds 128 tries (i.e. a linear search in a linked list), this qualifies as a malicious hash DoS (Denial of Service) attack. Generally maximal 8 collisions appear in normal hash table usage. Every 8th such hash flood attack performs a sleep(2) to limit the impact.

This security scheme is much easier and faster than trying to hide the random hash seed with randomized iterators and collisions lists, which cperl doesn't use.

Warn on metasploit CVE-2015-1592

Detection of the destructive attack against Movable-Type, the third vector only, which tries to delete mt-config.cgi was added to was added to Storable 3.01c.

Warns with "SECURITY: Movable-Type CVE-2015-1592 Storable metasploit attack" but does not protect against it.

Warn on metasploit reverse shells

Detect the metasploit payload unix/reverse_perl and some existing variants. This is just a dumb match at startup against existing exploits in the wild, but not future variants. Warns with "SECURITY: metasploit reverse/bind shell payload", but do not protect against it. This warning is thrown even without -w.

Also detects the CVE-2012-1823 reverse/bind shell payload, which is widely exploited too. The security warning is called "SECURITY: CVE-2012-1823 reverse/bind shell payload".

Performance Enhancements

Modules and Pragmata

Updated Modules and Pragmata

Cpanel::JSON::XS 3.027_03

New stringify_infnan(3) infnan_mode. Fix inf/nan detection on HP-UX and others. Use faster strEQc macros. Prefer memEQ for systems without memcmp, to use bcmp there. Add more expect_false() to inf/nan branches. Fix av and hv length types: protect from security sensitive overflows, add HVMAX_T and RITER_T Add new "Hash key too large" error. perl5 silently truncates it, but we prefer errors.

Term::ReadKey 2.35 renamed to ReadKey_pm.PL, expand blockoptions specific variants already at installation, no load-time eval, demand-load Carp, remove unneeded AutoLoader, harmonize formatting

B 1.62_05

Allow a 2nd optional CV argument for B::OP::aux_list, fixing B::Deparse and thereby Data::Dumper and Test2 is_deeply.

Storable 3.01c

"Warn on metasploit CVE-2015-1592"

Config 6.22

protect sv in END during global destruction, esp. with B::C. fixes for missing . in @INC (cperl or -Dfortify_inc). Add i_netinet_in_systm. Removed i_netinet6_in6.

YAML::XS 0.73

merged with upstream libyaml 0.1.7 avoid duplicate checks against NULL fix libyaml clang -Wlogical-op warnings fix libyaml clang -Wlogical-not-parentheses warnings

List::Util 1.45_06

sum/min/max need to call SvGETMAGIC

Sub::Util 1.45_06

set_subname memory fix by @bluhm from Sub::Name 0.20 [cpan #117072]

Fixes for older perls, esp. lexical $_ support.

Reinstate the &DB::sub setter, but no UTF8 support yet.

ExtUtils::Liblist::Kid 8.04_06

one more darwin fix for the wrong no library found warning for symlinked darwin libSystem.dylib libraries.

IO::Socket::IP 0.38

protect sv in END during global destruction, esp. with B::C. fixes for missing . in @INC (cperl or -Dfortify_inc).


- Support setting custom socket options with new Sockopts constructor parameter

- Restore blocking mode after ->connect errors [cpan #112334]

Time::HiRes 1.9739

More Darwin thread fixes for clock_gettime, Sierra support, test improvements.

Socket 2.024_04

Merge cpan 2.024 with our 2.021_02, plus fix some problems in their new code.

Fixes for OpenBSD: Probe for netinet/in_systm.h Removed i_netinet6_in6 probe. This was never used due to a typo. It cannot be used due to RFC 2553.

DynaLoader 2.05c

no mathoms: call_sv instead of call_pv, get_cvs where available.

B-C 1.54_13

Better CopFILE_set, Fixup arenasize refcnt. Delay cvref to init2, properly set a SvRV to a XS sub. Optimize constpv for CvFILE (less constants to merge for gcc). Improve NV precision by one digit. Fix to compile in, abstract and set %INC. Fix generation of @B::C::Config::deps on Windows. Fix !C99 precedence bug (e.g. MSVC). Minor refactor to simplify save_hek. Use the new get_svs, get_avs, get_hvs macros. perlcc add --debug|-D Improve endav XSUB bump Abstract RITER_T and HVMAX_T for the various sizes, compat HEK_STATIC Defer REGCOMP for \P{} properties Change $sv->EXTFLAGS to compflags since 5.22 for CALLREGCOMP(). Turn off MGf_REFCOUNTED. global-buffer-overflow with dynamic COW strings, wrong savepvn args.

base 2.23_01

fixes for missing . in @INC (cperl or -Dfortify_inc).


The following additions or changes have been made to diagnostic output, including warnings and fatal error messages. For the complete list of diagnostic messages, see perldiag.

New Diagnostics

New Errors

New Warnings

Configuration and Compilation


Internal Changes

Selected Bug Fixes


cperl 5.24.1 represents approximately 3 months of development since cperl 5.24.0c and contains approximately 15,000 lines of changes across 250 files from 11 authors.

Excluding auto-generated files, documentation and release tools, there were approximately 4,900 lines of changes to 130 .pm, .t, .c and .h files.

Perl continues to flourish into its third decade thanks to a vibrant community of users and developers. The following people are known to have contributed the improvements that became cperl 5.24.1c:

Reini Urban, Father Chrysostomos, David Mitchell, Daniel Dragan, Tony Cook, Lukas Mai, Yves Orton, Aristotle Pagaltzis, Misty De Meo, Karl Williamson, James Raspass, Nicholas Rochelemange.

The list above is almost certainly incomplete as it is automatically generated from version control history. In particular, it does not include the names of the (very much appreciated) contributors who reported issues to the cperl issue tracker.

Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community for helping Perl to flourish.

For a more complete list of all of Perl's historical contributors, please see the AUTHORS file in the Perl source distribution.

Reporting Bugs

If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at . There may also be information at , the Perl Home Page.

If you believe you have an unreported bug, please run the cperlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to to be analysed by the Perl porting team.

If you think it's a cperl specific bug or trust the cperl developers more please file an issue at

If the bug you are reporting has security implications which make it inappropriate to send to a publicly archived mailing list, then see "SECURITY VULNERABILITY CONTACT INFORMATION" in perlsec for details of how to report the issue.


The Changes file for an explanation of how to view exhaustive details on what changed.

The INSTALL file for how to build Perl.

The README file for general stuff.

The Artistic and Copying files for copyright information.