#4664: perl-5.30.3
--------------------+-----------------------
Reporter: bdubbs | Owner: renodr
Type: task | Status: assigned
Priority: high | Milestone: 9.2
Component: Book | Version: SVN
Severity: normal | Resolution:
Keywords: |
--------------------+-----------------------
Changes (by renodr):
* priority: normal => high
Comment:
{{{
NAME
perldelta - what is new for perl v5.30.3
DESCRIPTION
This document describes differences between the 5.30.2 release and the
5.30.3 release.
If you are upgrading from an earlier release such as 5.30.1, first read
perl5302delta, which describes differences between 5.30.1 and 5.30.2.
Security
[CVE-2020-10543] Buffer overflow caused by a crafted regular expression
A signed size_t integer overflow in the storage space calculations for
nested regular expression quantifiers could cause a heap buffer overflow
in Perl's regular expression compiler that overwrites memory allocated
after the regular expression storage space with attacker supplied data.
The target system needs a sufficient amount of memory to allocate partial
expansions of the nested quantifiers prior to the overflow occurring. This
requirement is unlikely to be met on 64-bit systems.
Discovered by: ManhND of The Tarantula Team, VinCSS (a member of
Vingroup).
[CVE-2020-10878] Integer overflow via malformed bytecode produced by a
crafted regular expression
Integer overflows in the calculation of offsets between instructions for
the regular expression engine could cause corruption of the intermediate
language state of a compiled regular expression. An attacker could abuse
this behaviour to insert instructions into the compiled form of a Perl
regular expression.
Discovered by: Hugo van der Sanden and Slaven Rezic.
[CVE-2020-12723] Buffer overflow caused by a crafted regular expression
Recursive calls to S_study_chunk() by Perl's regular expression compiler
to optimize the intermediate language representation of a regular
expression could cause corruption of the intermediate language state of a
compiled regular expression.
Discovered by: Sergey Aleynikov.
Additional Note
An application written in Perl would only be vulnerable to any of the
above flaws if it evaluates regular expressions supplied by the attacker.
Evaluating regular expressions in this fashion is known to be dangerous
since the regular expression engine does not protect against denial of
service attacks in this usage scenario.
Incompatible Changes
There are no changes intentionally incompatible with Perl 5.30.2. If any
exist, they are bugs, and we request that you submit a report. See
"Reporting Bugs" below.
Modules and Pragmata
Updated Modules and Pragmata
Module::CoreList has been upgraded from version 5.20200314 to
5.20200601_30.
Testing
Tests were added and changed to reflect the other additions and changes in
this release.
}}}
Contains fixes for CVE-2020-10543, CVE-2020-10878, CVE-2020-12723
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4664#comment:2>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
