DESCRIPTION
Plugin for Devel::PatchPerl to fix several buffer overflows and use-after-free bugs in production perls which prevent compilations with clang AddressSanitizer, aka asan.
Note that buildperl.pl from Devel::PPPerl and Devel::PatchPerl do not provide such security patches, only configure and make patches.
Most fixes have very low security impact. No known exploits do exist.
You need to run perlall build --allpatches or perlall build --patches=Asan to apply these.
PATCHES
The list is complete for non-threaded perls. For threaded perls some more patches need to be added.
5.8.2-5.16.2: CVE-2013-1667 prevent hsplit DOS attacks
5.10-5.15.9: RT#111586 sdbm.c off-by-one access to global .dir
5.12-5.16.0: RT#72700 List::Util boot Fix off-by-two on string literal length
5.15.4-9, 5.17.0-6: RT#115702 overlapping memcpy in to_utf8_case
5.6-5.16.0: RT#111594 Socket::unpack_sockaddr_un heap-buffer-overflow
5.8-5.14.3: RT#115992 PL_eval_start use-after-free
5.10-5.14.3: RT#115994 S_join_exact global-buffer-overflow
5.17.7-8: RT#82119 Socket::inet_ntop heap-buffer-overflow
5.14.0-3: RT#91678 S_anonymise_cv_maybe UTF8 cleanup
5.17,18.0,19 RT#118525 Return B::HEK for B::CV::GV of lexical subsDevel::PatchPerl::Plugin::Asan::patchperl($class, {version,source,patchexe})
Apply patches in Devel::PatchPerl::Plugin::Asan depending on the perl version. See Devel::PatchPerl::Plugin.
Every patch is recorded in patchlevel.h, visible in myconfig. If a patch fails the script dies.