The Perl Toolchain Summit needs more sponsors. If your company depends on Perl, please support this very important event.

DESCRIPTION

Plugin for Devel::PatchPerl to fix several buffer overflows and use-after-free bugs in production perls which prevent compilations with clang AddressSanitizer, aka asan.

Note that buildperl.pl from Devel::PPPerl and Devel::PatchPerl do not provide such security patches, only configure and make patches.

Most fixes have very low security impact. No known exploits do exist.

You need to run perlall build --allpatches or perlall build --patches=Asan to apply these.

PATCHES

The list is complete for non-threaded perls. For threaded perls some more patches need to be added.

    5.8.2-5.16.2: CVE-2013-1667 prevent hsplit DOS attacks
    5.10-5.15.9:  RT#111586 sdbm.c off-by-one access to global .dir
    5.12-5.16.0:  RT#72700 List::Util boot Fix off-by-two on string literal length
    5.15.4-9, 5.17.0-6: RT#115702 overlapping memcpy in to_utf8_case
    5.6-5.16.0:   RT#111594 Socket::unpack_sockaddr_un heap-buffer-overflow
    5.8-5.14.3:   RT#115992 PL_eval_start use-after-free
    5.10-5.14.3:  RT#115994 S_join_exact global-buffer-overflow
    5.17.7-8:     RT#82119 Socket::inet_ntop heap-buffer-overflow
    5.14.0-3:     RT#91678 S_anonymise_cv_maybe UTF8 cleanup
    5.17,18.0,19  RT#118525 Return B::HEK for B::CV::GV of lexical subs

Devel::PatchPerl::Plugin::Asan::patchperl($class, {version,source,patchexe})

Apply patches in Devel::PatchPerl::Plugin::Asan depending on the perl version. See Devel::PatchPerl::Plugin.

Every patch is recorded in patchlevel.h, visible in myconfig. If a patch fails the script dies.