People who *use* their BLFS system(s), as distinct from those who only build them to see how things fit together, are hopefully subscribed here, so although perl is an LFS package I'm posting here.
New point releases for perl (5.28.1 and 5.26.3) were released at the end of November, containing security fixes as well as bugfixes. For 5.28.1 the security fixes are: [CVE-2018-18311] Integer overflow leading to buffer overflow and segmentation fault [CVE-2018-18312] Heap-buffer-overflow write in S_regatom (regcomp.c) For the latter: A remote user user can create a specially crafted regular expression to cause a heap overflow in S_regatom in 'regcomp.c' during compilation and potentially execute arbitrary code. The unfortunate thing about upgrading perl to a newer version is that extra modules (in site_perl) will no-longer be in the right place. On my current systems (LFS-8.3 and later) I've got many extra modules. So for 5.28.1 I'm going to do what I did when 5.22.1 came out - patch 5.28.0 with the fixes but not with the newer version number, then rebuild. Fortunately, the changes include extra tests so when my patch is incomplete I find out (got the T-shirt from 5.28, looks like I'm maybe going to get another for 5.26). Attached is a patch for 5.28. Note that the affected files are read-only, but patch manages to apply the changes. I plan to do an LFS build later, for this and maybe for something else, and I'll then pick up the LFS ticket unless someone beats me to it. But before that I'll be trying to do a similar (larger) patch for perl-5.26.1 which has had two sets of security fixes - I only care about that because I've got some old LFS-8.2 systems which I claim to keep maintained. ĸen -- I'm saving up 22 shillings and 10 pence (almost a pound!) per week to buy an ARM-13. http://www.antipope.org/charlie/blog-static/2018/11/brexit-means-brexit.html
perl-5.28.0-upstream_fixes-1.patch
Description: Binary data
-- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
