Plugin for Devel::PatchPerl to fix several buffer overflows and use-after-free bugs in production perls which prevent compilations with
clang AddressSanitizer, aka asan.
Most fixes have very low security impact. No known exploits do exist.
You need to run
perlall build --allpatches or
perlall build --patches=Asan to apply these.
The list is complete for non-threaded perls. For threaded perls some more patches need to be added.
5.8.2-5.16.2: CVE-2013-1667 prevent hsplit DOS attacks 5.10-5.15.9: RT#111586 sdbm.c off-by-one access to global .dir 5.12-5.16.0: RT#72700 List::Util boot Fix off-by-two on string literal length 5.15.4-9, 5.17.0-6: RT#115702 overlapping memcpy in to_utf8_case 5.6-5.16.0: RT#111594 Socket::unpack_sockaddr_un heap-buffer-overflow 5.8-5.14.3: RT#115992 PL_eval_start use-after-free 5.10-5.14.3: RT#115994 S_join_exact global-buffer-overflow 5.17.7-8: RT#82119 Socket::inet_ntop heap-buffer-overflow 5.14.0-3: RT#91678 S_anonymise_cv_maybe UTF8 cleanup 5.17,18.0,19 RT#118525 Return B::HEK for B::CV::GV of lexical subs
Apply patches in Devel::PatchPerl::Plugin::Asan depending on the perl version. See Devel::PatchPerl::Plugin.
Every patch is recorded in patchlevel.h, visible in myconfig. If a patch fails the script dies.