/ 
perl-5.10.1-RC2
/ Porting::how_to_write_a_perldelta
Security Advisories (24)
CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

CVE-2026-4176 (2026-03-29)

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2026-8376 (2026-05-25)

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2011-0761 (2011-05-13)

Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2009-3626 (2009-10-29)

Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

How to write a perldelta

This is intended as a guide for how to write a perldelta. There has never been a formal specification - the working rule is "fake up a document that looks something close to the existing perldeltas". So if it's unclear how do to do something, see if it's been done before, and if the approach works there, steal it.

Style

Pod is more a physical markup language, rather than a logical markup language. Despite that it has some built in conventions. Stick to them:

  • F<> is for File

  • C<> is for Code

  • L<> is for Link

Whilst modules could also be links, usually in the context of the perldelta the reference is to code useing them, rather than something within their documentation.

Be consistent in how bugs are referenced. One style is

rt.perl.org

RT #43010 inline, but enclose in square brackets after a sentence. [RT #43010]

ActiveState

http://bugs.activestate.com/show_bug.cgi?id=72443

Debian

Debian bug #379463

Copy editing

Be consistent.

In a list, either make every item a note, or a full sentence. Either end every item with a full stop, or ensure that no item ends with one. regex xor regexp - choose exactly one, and stick to it.

Sections

Historically, the perldelta has consisted of a sequence of =head1 sections, usually in the same order. Un-needed sections are deleted, and if something doesn't fit nicely into the existing sections, a new more appropriate section is created.

NAME

Follows this formula:

perl5104delta - what is new for perl v5.10.4
DESCRIPTION

For a release on a stable branch, follows this formula:

This document describes differences between the 5.10.3 release and
the 5.10.4 release.

For the start of a new stable branch, follows this formula:

This document describes differences between the 5.12.0 release and
the 5.10.0 release.

Clearly this sets the scope of which changes are to be summarised in the rest of the document.

Notice

There was a Notice section in perl589delta, to carry an important notice.

Incompatible Changes

For a release on a stable branch, this section aspires to be

There are no changes intentionally incompatible with 5.10.3. If any exist,
they are bugs and reports are welcome.
Core Enhancements

New core language features go here. Summarise user-visible core language enhancements. Particularly prominent performance optimisations could go here, but most should go in the "Performance Enhancements" section.

Feature inside modules (pure-Perl and XS) go in "Modules and Pragmata"

New Platforms

List any platforms that this version of perl compiles on, that previous versions did not. These will either be enabled by new files in the hints/ directories, or new subdirectories and README files at the top level of the source tree.

Modules and Pragmata

All changes to installed files in ext/ and lib/ go here, in a list ordered by distribution name. Minimally it should be the module version, but it's more useful to the end user to give a paragraph's summary of the module's changes. In an ideal world, dual-life modules would have a Changes file that could be cribbed.

Whilst this section could be built by incrementally working through change descriptions applying to files, this is prone to error. It's better to collate changes to ext/ and lib/ by module, and then summarise all changes to a module as a group. This can be done by partitioning directories within ext/ and lib/ to a number of people.

Utility Changes

Changes to installed programs such as perlbug and xsubpp go here. Most of these are built within the directories utils and x2p.

New Documentation

Changes which create new files in pod/ go here.

Changes to Existing Documentation

Changes which significantly change existing files in pod/ go here. Any changes to pod/perldiag.pod should go in "New or Changed Diagnostics".

Performance Enhancements

Changes which enhance performance without changing behaviour go here. There may well be none in a stable release.

Installation and Configuration Improvements

Changes to Configure, installperl, installman, and analogous tools go here.

Selected Bug Fixes

Important bug fixes in the core language are summarised here. Bug fixes in files in ext/ and lib/ are best summarised in "Modules and Pragmata".

New or Changed Diagnostics

New or changed warnings emitted by the core's C code go here.

Changed Internals

Changes which affect the interface available to XS code go here.

New Tests

Changes which create new files in t/ go here. Changes to existing files in t/ aren't worth summarising, although the bugs that they represent may be.

Known Problems

Descriptions of platform agnostic bugs we know we can't fix go here. Any tests that had to be TODOed for the release would be noted here, unless they were specific to a particular platform (see below).

Deprecations

Add any new known deprecations here.

Platform Specific Notes

Any changes specific to a particular platform. VMS and Win32 are the usual stars here. It's probably best to group changes under the same section layout as the main perldelta.

Obituary

If any significant core contributor has died, we've added a short obituary here.

Acknowledgements

The list of people to thank goes here.

Reporting Bugs

This doesn't usually need to be changed from the previous perldelta.

SEE ALSO

This doesn't usually need to be changed from the previous perldelta.