Plugin for Devel::PatchPerl to fix several buffer overflows and use-after-free bugs in production perls which prevent compilations with
Most fixes have very low security impact. No known exploits do exist.
You need to run
perlall build --allpatches or
perlall build --patches=Asan to apply these.
The list is complete for non-threaded perls. For threaded perls some more patches need to be added.
5.8.2-5.16.2: CVE-2013-1667 prevent hsplit DOS attacks 5.10-5.15.9: RT#111586 sdbm.c off-by-one access to global .dir 5.12-5.16.0: RT#72700 List::Util boot Fix off-by-two on string literal length 5.15.4-9, 5.17.0-6: RT#115702 overlapping memcpy in to_utf8_case 5.6-5.16.0: RT#111594 Socket::unpack_sockaddr_un heap-buffer-overflow 5.8-5.14.3: RT#115992 PL_eval_start use-after-free 5.10-5.14.3: RT#115994 S_join_exact global-buffer-overflow 5.17.7-8: RT#82119 Socket::inet_ntop heap-buffer-overflow 5.14.0-3: RT#91678 S_anonymise_cv_maybe UTF8 cleanup 5.17,18.0,19 RT#118525 Return B::HEK for B::CV::GV of lexical subs
Apply patches in Devel::PatchPerl::Plugin::Asan depending on the perl version. See Devel::PatchPerl::Plugin.
Every patch is recorded in patchlevel.h, visible in myconfig. If a patch fails the script dies.