--- - branch: MAIN date: Tue Dec 5 19:36:26 UTC 2023 files: - new: '1.48' old: '1.47' path: pkgsrc/lang/perl5/Makefile.common pathrev: pkgsrc/lang/perl5/Makefile.common@1.48 type: modified - new: '1.182' old: '1.181' path: pkgsrc/lang/perl5/distinfo pathrev: pkgsrc/lang/perl5/distinfo@1.182 type: modified id: 20231205T193626Z.02c8466bd337a5754f20a1e82e0f8c5a682d1727 log: | perl: update to 5.38.2. This document describes differences between the 5.38.0 release and the 5.38.2 release. B This document ignores Perl 5.38.1, a broken release which existed for a couple of days only. Security This release fixes the following security issues. CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property This vulnerability was reported directly to the Perl security team by Nathan Mills C. A crafted regular expression when compiled by perl 5.30.0 through 5.38.0 can cause a one-byte attacker controlled buffer overflow in a heap allocated buffer. CVE-2023-47039 - Perl for Windows binary hijacking vulnerability This vulnerability was reported to the Intel Product Security Incident Response Team (PSIRT) by GitHub user ycdxsb L. PSIRT then reported it to the Perl security team. Perl for Windows relies on the system path environment variable to find the shell (C). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute C within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing C in locations with weak permissions, such as C. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed. module: pkgsrc subject: 'CVS commit: pkgsrc/lang/perl5' unixtime: '1701804986' user: wiz