Path to this page:
Subject: CVS commit: pkgsrc/lang/perl5
From: Adam Ciarcinski
Date: 2020-06-03 10:39:16
Message id: 20200603083916.3119BFB27@cvs.NetBSD.org
Log Message:
perl5: updated to 5.30.3
perl v5.30.3
Security
[CVE-2020-10543] Buffer overflow caused by a crafted regular expression
A signed "size_t" integer overflow in the storage space \
calculations for nested regular expression
quantifiers could cause a heap buffer overflow in Perl's regular \
expression compiler that overwrites memory
allocated after the regular expression storage space with attacker \
supplied data.
The target system needs a sufficient amount of memory to allocate partial \
expansions of the nested
quantifiers prior to the overflow occurring. This requirement is \
unlikely to be met on 64-bit systems.
[CVE-2020-10878] Integer overflow via malformed bytecode produced by a \
crafted regular expression
Integer overflows in the calculation of offsets between instructions for \
the regular expression engine could
cause corruption of the intermediate language state of a compiled regular \
expression. An attacker could
abuse this behaviour to insert instructions into the compiled form of a \
Perl regular expression.
[CVE-2020-12723] Buffer overflow caused by a crafted regular expression
Recursive calls to "S_study_chunk()" by Perl's regular \
expression compiler to optimize the intermediate
language representation of a regular expression could cause corruption of \
the intermediate language state of
a compiled regular expression.
Additional Note
An application written in Perl would only be vulnerable to any of the \
above flaws if it evaluates regular
expressions supplied by the attacker. Evaluating regular expressions in \
this fashion is known to be
dangerous since the regular expression engine does not protect against \
denial of service attacks in this
usage scenario.
Incompatible Changes
There are no changes intentionally incompatible with Perl 5.30.2.
Modules and Pragmata
Updated Modules and Pragmata
o Module::CoreList has been upgraded from version 5.20200314 to \
5.20200601_30.
Files: