Subject: CVS commit: pkgsrc/lang/perl5
From: Adam Ciarcinski
Date: 2020-06-03 10:39:16
Message id: 20200603083916.3119BFB27@cvs.NetBSD.org
Log Message:
perl5: updated to 5.30.3

perl v5.30.3

Security
   [CVE-2020-10543] Buffer overflow caused by a crafted regular expression
       A signed "size_t" integer overflow in the storage space \ 
calculations for nested regular expression
       quantifiers could cause a heap buffer overflow in Perl's regular \ 
expression compiler that overwrites memory
       allocated after the regular expression storage space with attacker \ 
supplied data.

       The target system needs a sufficient amount of memory to allocate partial \ 
expansions of the nested
       quantifiers prior to the overflow occurring.  This requirement is \ 
unlikely to be met on 64-bit systems.

   [CVE-2020-10878] Integer overflow via malformed bytecode produced by a \ 
crafted regular expression
       Integer overflows in the calculation of offsets between instructions for \ 
the regular expression engine could
       cause corruption of the intermediate language state of a compiled regular \ 
expression.  An attacker could
       abuse this behaviour to insert instructions into the compiled form of a \ 
Perl regular expression.

   [CVE-2020-12723] Buffer overflow caused by a crafted regular expression
       Recursive calls to "S_study_chunk()" by Perl's regular \ 
expression compiler to optimize the intermediate
       language representation of a regular expression could cause corruption of \ 
the intermediate language state of
       a compiled regular expression.

   Additional Note
       An application written in Perl would only be vulnerable to any of the \ 
above flaws if it evaluates regular
       expressions supplied by the attacker.  Evaluating regular expressions in \ 
this fashion is known to be
       dangerous since the regular expression engine does not protect against \ 
denial of service attacks in this
       usage scenario.

Incompatible Changes
       There are no changes intentionally incompatible with Perl 5.30.2.

Modules and Pragmata
   Updated Modules and Pragmata
       o   Module::CoreList has been upgraded from version 5.20200314 to \ 
5.20200601_30.
Files:
RevisionActionfile
1.40modifypkgsrc/lang/perl5/Makefile.common
1.163modifypkgsrc/lang/perl5/distinfo