In perl.git, the branch autarch/release-5.17.7 has been updated <http://perl5.git.perl.org/perl.git/commitdiff/dd271d7a0caed014eb38a82641368ade8e60765b?hp=f5b737111b5446b5e601b70539f2c772080de91d>
- Log ----------------------------------------------------------------- commit dd271d7a0caed014eb38a82641368ade8e60765b Author: Dave Rolsky <[email protected]> Date: Mon Dec 17 13:24:42 2012 -0600 Add delta for Storable & Locale::Maketext security issues M pod/perldelta.pod commit 6936f67ac656329f48ac3758221cfa05e8c2d339 Author: Dave Rolsky <[email protected]> Date: Mon Dec 17 13:18:52 2012 -0600 Fix typo in Locale-Maketext ChangeLog M dist/Locale-Maketext/ChangeLog commit 4b00e41a641dbf4264d1cb31a6de8e573fe43e67 Author: Dave Rolsky <[email protected]> Date: Mon Dec 17 13:09:01 2012 -0600 Fix some weird formatting in perldelta M pod/perldelta.pod commit 98960a104e798d6eeeb545e4248fbae253eb0467 Author: Dave Rolsky <[email protected]> Date: Mon Dec 17 12:25:53 2012 -0600 s/5.17.5/5.17.6/ in the INSTALL document M INSTALL ----------------------------------------------------------------------- Summary of changes: INSTALL | 4 +- dist/Locale-Maketext/ChangeLog | 2 +- pod/perldelta.pod | 56 ++++++++++++++++++++------------------- 3 files changed, 32 insertions(+), 30 deletions(-) diff --git a/INSTALL b/INSTALL index bc92052..c68f3a0 100644 --- a/INSTALL +++ b/INSTALL @@ -2399,9 +2399,9 @@ seriously consider using a separate directory, since development subversions may not have all the compatibility wrinkles ironed out yet. -=head2 Upgrading from 5.17.5 or earlier +=head2 Upgrading from 5.17.6 or earlier -B<Perl 5.17.7 may not be binary compatible with Perl 5.17.5 or +B<Perl 5.17.7 may not be binary compatible with Perl 5.17.6 or earlier Perl releases.> Perl modules having binary parts (meaning that a C compiler is used) will have to be recompiled to be used with 5.17.7. If you find you do need to rebuild an extension with diff --git a/dist/Locale-Maketext/ChangeLog b/dist/Locale-Maketext/ChangeLog index aaa0eb8..fb58183 100644 --- a/dist/Locale-Maketext/ChangeLog +++ b/dist/Locale-Maketext/ChangeLog @@ -4,7 +4,7 @@ Revision history for Perl suite Locale::Maketext * Fix misparsing of maketext strings. 2012-11-22 - * Fix hash order dependcy bug in tests + * Fix hash order dependency bug in tests 2012-01-14 * Minor POD documentation update to sync with upstream blead. diff --git a/pod/perldelta.pod b/pod/perldelta.pod index b9434ad..d06b1c0 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -25,6 +25,28 @@ nothing. =head1 Security +=head2 C<Storable> security warning in documentation + +The documentation for C<Storable> now includes a section which warns readers +of the danger of accepting Storable documents from untrusted sources. The +short version is that deserializing certain types of data can lead to loading +modules and other code execution. This is documented behavior and wanted +behavior, but this opens an attack vector for malicious entities. + +=head2 C<Locale::Maketext> allowed code injection via a malicious template + +If users could provide a translation string to Locale::Maketext, this could be +used to invoke arbitrary Perl subroutines available in the current process. + +This has been fixed, but it is still possible to invoke any method provided by +C<Locale::Maketext> itself or a subclass that you are using. One of these +methods in turn will invoke the Perl core's C<sprintf> subroutine. + +In summary, allowing users to provide translation strings without auditing +them is a bad idea. + +This vulnerability is documented in CVE-2012-6329. + =head1 Incompatible Changes =head2 readline() with C<$/ = \N> now reads N characters, not N bytes @@ -100,33 +122,13 @@ and should not be used. With participating C compilers (e.g., gcc), compiling any file that uses any of these will generate a warning. These were not intended for public use; there are equivalent, faster, macros for most of them. See L<perlapi/Character classes>: -C<is_uni_ascii>, -C<is_uni_ascii_lc>, -C<is_uni_blank>, -C<is_uni_blank_lc>, -C<is_uni_cntrl>, -C<is_uni_cntrl_lc>, -C<is_uni_idfirst_lc>, -C<is_uni_space>, -C<is_uni_space_lc>, -C<is_uni_xdigit>, -C<is_uni_xdigit_lc>, -C<is_utf8_ascii>, -C<is_utf8_blank>, -C<is_utf8_cntrl>, -C<is_utf8_idcont>, -C<is_utf8_idfirst>, -C<is_utf8_perl_space>, -C<is_utf8_perl_word>, -C<is_utf8_posix_digit>, -C<is_utf8_space>, -C<is_utf8_xdigit>. -C<is_utf8_xidcont>, -C<is_utf8_xidfirst>, -C<to_uni_lower_lc>, -C<to_uni_title_lc>, -and -C<to_uni_upper_lc>. +C<is_uni_ascii>, C<is_uni_ascii_lc>, C<is_uni_blank>, C<is_uni_blank_lc>, +C<is_uni_cntrl>, C<is_uni_cntrl_lc>, C<is_uni_idfirst_lc>, C<is_uni_space>, +C<is_uni_space_lc>, C<is_uni_xdigit>, C<is_uni_xdigit_lc>, C<is_utf8_ascii>, +C<is_utf8_blank>, C<is_utf8_cntrl>, C<is_utf8_idcont>, C<is_utf8_idfirst>, +C<is_utf8_perl_space>, C<is_utf8_perl_word>, C<is_utf8_posix_digit>, +C<is_utf8_space>, C<is_utf8_xdigit>. C<is_utf8_xidcont>, C<is_utf8_xidfirst>, +C<to_uni_lower_lc>, C<to_uni_title_lc>, and C<to_uni_upper_lc>. =head1 Performance Enhancements -- Perl5 Master Repository
