Perl, which is one of the most popular scripting languages in the Unix and Linux world, has now received updates that bring the latest official packages up to version 5.28.0. Many users are more than likely still running Perl 5.22 or another slightly older version because a majority of distros haven’t gotten the opportunity to test the new packages. The same is more than likely true of developers working on Apple’s macOS platform.
When software gets a new release, lists of changes usually accompany it. Fewer packages come with a table that features over 700,000 individual alterations.
Nevertheless, Perl developers are reporting that they’ve actually made that many updates to the scripting host. One of the most important changes involves support for mixed Unicode scripts.
Spoofing attacks are a major problem when it comes to use of Unicode text in a script. Cyrillic, Latin and Greek text can be mixed together to create some really unusual strings that can trip up some code into thinking that it received a legitimate request. Some crackers have also mixed different combining Unicode characters together in order to make a string look acceptable to a user even though it doesn’t actually represent the binary code that would correspond to what the user is seeing.
Windows, macOS and Linux security experts weighed in on the issue and there’s now a new regular expression construct in Perl that allows scriptwriters to easily detect mixed Unicode strings before passing them onto any other subroutine in a script.
You could also combine different types of Unicode together using some new calls. These are considered experimental, so they’ll throw an experimental::script_run warning for the time being, but this can be disabled.
Editing scripts in place with perl -i is now much safer than it was in the past. Previously, attempts to do this could delete or rename an input file. This has been changed to replace the input file only when it has been written out to disk and then closed.
Several other major security bugs were corrected in the release as well. Certain heap buffer overflow errors and buffer over-reads shouldn’t serve as an attacker vector because of how much Perl’s developers tightened up the code in these areas.