CVS commit: pkgsrc/lang/perl5

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Tue Dec  5 19:36:26 UTC 2023

Modified Files:
        pkgsrc/lang/perl5: Makefile.common distinfo

Log Message:
perl: update to 5.38.2.

This document describes differences between the 5.38.0 release and the 5.38.2
release.  B<Please note:> This document ignores Perl 5.38.1, a broken release
which existed for a couple of days only.

Security

This release fixes the following security issues.

CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property

This vulnerability was reported directly to the Perl security team by
Nathan Mills C<the.true.nathan.mills%gmail.com@localhost>.

A crafted regular expression when compiled by perl 5.30.0 through
5.38.0 can cause a one-byte attacker controlled buffer overflow in a
heap allocated buffer.

CVE-2023-47039 - Perl for Windows binary hijacking vulnerability

This vulnerability was reported to the Intel Product Security Incident
Response Team (PSIRT) by GitHub user ycdxsb
L<https://github.com/ycdxsb/WindowsPrivilegeEscalation>. PSIRT then
reported it to the Perl security team.

Perl for Windows relies on the system path environment variable to
find the shell (C<cmd.exe>). When running an executable which uses
Windows Perl interpreter, Perl attempts to find and execute C<cmd.exe>
within the operating system. However, due to path search order issues,
Perl initially looks for cmd.exe in the current working directory.

An attacker with limited privileges can exploit this behavior by
placing C<cmd.exe> in locations with weak permissions, such as
C<C:\ProgramData>. By doing so, when an administrator attempts to use
this executable from these compromised locations, arbitrary code can
be executed.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 pkgsrc/lang/perl5/Makefile.common
cvs rdiff -u -r1.181 -r1.182 pkgsrc/lang/perl5/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/perl5/Makefile.common
diff -u pkgsrc/lang/perl5/Makefile.common:1.47 pkgsrc/lang/perl5/Makefile.common:1.48
--- pkgsrc/lang/perl5/Makefile.common:1.47      Thu Jul  6 09:22:14 2023
+++ pkgsrc/lang/perl5/Makefile.common   Tue Dec  5 19:36:26 2023
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile.common,v 1.47 2023/07/06 09:22:14 wiz Exp $
+# $NetBSD: Makefile.common,v 1.48 2023/12/05 19:36:26 wiz Exp $
 #
 # used by lang/perl5/Makefile
 # used by databases/p5-gdbm/Makefile
 
-DISTNAME=      perl-5.38.0
+DISTNAME=      perl-5.38.2
 CATEGORIES=    lang devel perl5
 MASTER_SITES=  ${MASTER_SITE_PERL_CPAN:S,/modules/by-module/$,/src/5.0/,}
 DISTFILES+=    ${DISTNAME}${EXTRACT_SUFX}

Index: pkgsrc/lang/perl5/distinfo
diff -u pkgsrc/lang/perl5/distinfo:1.181 pkgsrc/lang/perl5/distinfo:1.182
--- pkgsrc/lang/perl5/distinfo:1.181    Thu Jul  6 09:22:14 2023
+++ pkgsrc/lang/perl5/distinfo  Tue Dec  5 19:36:26 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.181 2023/07/06 09:22:14 wiz Exp $
+$NetBSD: distinfo,v 1.182 2023/12/05 19:36:26 wiz Exp $
 
-BLAKE2s (perl-5.38.0.tar.xz) = 2f27844b7003ec6836ba53f33a73d349cec41f9ad5cff2f14499f95a221210ce
-SHA512 (perl-5.38.0.tar.xz) = 71beff7f6daa22a967972f5805daf2d4ff837a17e5ab808780f815d5914a67acf4f2e92acac0f2d8b24bdde4ceec0c2f7cb3029b5eadeeb30191f757e1bf0f9d
-Size (perl-5.38.0.tar.xz) = 13565448 bytes
+BLAKE2s (perl-5.38.2.tar.xz) = cdd8729ebe26a804f86236514eefa4520141f82a3167dfb246713b6094b51185
+SHA512 (perl-5.38.2.tar.xz) = 0ca51e447c7a18639627c281a1c7ae6662c773745ea3c86bede46336d5514ecc97ded2c61166e1ac15635581489dc596368907aa3a775b34db225b76d7402d10
+Size (perl-5.38.2.tar.xz) = 13679524 bytes
 SHA1 (patch-Configure) = f3bd324a90254405b3ce8e29846b4ddc9ebf7d73
 SHA1 (patch-Makefile.SH) = 56203aea57c429a94760f039a978463b8859b0a9
 SHA1 (patch-caretx.c) = e9698f513b6fb5237b627d6a1a56153720654039