diff --git a/SOURCES/perl-5.16.3-CVE-2020-10543.patch b/SOURCES/perl-5.16.3-CVE-2020-10543.patch
new file mode 100644
index 0000000..fca36ea
--- /dev/null
+++ b/SOURCES/perl-5.16.3-CVE-2020-10543.patch
@@ -0,0 +1,72 @@
+From dd88eabcdaecfe56bd4dd50fcb557ad59bed4855 Mon Sep 17 00:00:00 2001
+From: Jitka Plesnikova <jplesnik@redhat.com>
+Date: Thu, 7 Jan 2021 12:50:21 +0100
+Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex
+ quantifiers.
+
+(CVE-2020-10543) On 32bit systems the size calculations for nested regular
+expression quantifiers could overflow causing heap memory corruption.
+---
+ AUTHORS | 1 +
+ perl.h | 2 ++
+ regcomp.c | 6 ++++++
+ t/re/pat.t | 1 +
+ 4 files changed, 10 insertions(+)
+
+diff --git a/AUTHORS b/AUTHORS
+index 9589b5b..b69783a 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -558,6 +558,7 @@ John Holdsworth <coldwave@bigfoot.com>
+ John Hughes <john@AtlanTech.COM>
+ John Kristian <jmk2001@engineer.com>
+ John L. Allen <allen@grumman.com>
++John Lightsey <jd@cpanel.net>
+ John Macdonald <jmm@revenge.elegant.com>
+ John Malmberg <wb8tyw@gmail.com>
+ John Nolan <jpnolan@Op.Net>
+diff --git a/perl.h b/perl.h
+index e532af2..9806c58 100644
+--- a/perl.h
++++ b/perl.h
+@@ -1758,6 +1758,8 @@ typedef UVTYPE UV;
+ # endif
+ #endif
+
++#define SSize_t_MAX (SSize_t)(~(size_t)0 >> 1)
++
+ #ifndef HAS_QUAD
+ # undef PERL_NEED_MY_HTOLE64
+ # undef PERL_NEED_MY_LETOH64
+diff --git a/regcomp.c b/regcomp.c
+index 57505f3..a02c296 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -3848,6 +3848,12 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ "Quantifier unexpected on zero-length expression");
+ }
+
++ if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext )
++ || min >= SSize_t_MAX - minnext * mincount )
++ {
++ FAIL("Regexp out of space");
++ }
++
+ min += minnext * mincount;
+ is_inf_internal |= ((maxcount == REG_INFTY
+ && (minnext + deltanext) > 0)
+diff --git a/t/re/pat.t b/t/re/pat.t
+index e328fbd..214a14b 100644
+--- a/t/re/pat.t
++++ b/t/re/pat.t
+@@ -16,6 +16,7 @@ $| = 1;
+ BEGIN {
+ chdir 't' if -d 't';
+ @INC = ('../lib','.');
++ require Config; import Config;
+ require './test.pl';
+ }
+
+--
+2.26.2
+
diff --git a/SOURCES/perl-5.16.3-CVE-2020-10878.patch b/SOURCES/perl-5.16.3-CVE-2020-10878.patch
new file mode 100644
index 0000000..0e81d84
--- /dev/null
+++ b/SOURCES/perl-5.16.3-CVE-2020-10878.patch
@@ -0,0 +1,147 @@
+From af92b565250adce354d1af936c0013d0175a5b81 Mon Sep 17 00:00:00 2001
+From: Jitka Plesnikova <jplesnik@redhat.com>
+Date: Mon, 1 Jun 2020 18:33:56 +0200
+Subject: [PATCH 4/4] study_chunk: extract rck_elide_nothing
+
+(CVE-2020-10878)
+---
+ embed.fnc | 1 +
+ embed.h | 1 +
+ proto.h | 4 ++++
+ regcomp.c | 70 ++++++++++++++++++++++++++++++++++---------------------
+ 4 files changed, 49 insertions(+), 27 deletions(-)
+
+diff --git a/embed.fnc b/embed.fnc
+index 9546555..aa6c886 100644
+--- a/embed.fnc
++++ b/embed.fnc
+@@ -1952,6 +1952,7 @@ Es |I32 |study_chunk |NN struct RExC_state_t *pRExC_state \
+ |I32 stopparen|NULLOK U8* recursed \
+ |NULLOK struct regnode_charclass_class *and_withp \
+ |U32 flags|U32 depth|bool was_mutate_ok
++Es |void |rck_elide_nothing|NN regnode *node
+ EsRn |U32 |add_data |NN struct RExC_state_t *pRExC_state|U32 n \
+ |NN const char *s
+ rs |void |re_croak2 |NN const char* pat1|NN const char* pat2|...
+diff --git a/embed.h b/embed.h
+index f7db1e0..555538d 100644
+--- a/embed.h
++++ b/embed.h
+@@ -933,6 +933,7 @@
+ #define make_trie(a,b,c,d,e,f,g,h) S_make_trie(aTHX_ a,b,c,d,e,f,g,h)
+ #define make_trie_failtable(a,b,c,d) S_make_trie_failtable(aTHX_ a,b,c,d)
+ #define nextchar(a) S_nextchar(aTHX_ a)
++#define rck_elide_nothing(a) S_rck_elide_nothing(aTHX_ a)
+ #define reg(a,b,c,d) S_reg(aTHX_ a,b,c,d)
+ #define reg_namedseq(a,b,c,d) S_reg_namedseq(aTHX_ a,b,c,d)
+ #define reg_node(a,b) S_reg_node(aTHX_ a,b)
+diff --git a/proto.h b/proto.h
+index 143eee0..d7cba26 100644
+--- a/proto.h
++++ b/proto.h
+@@ -6477,6 +6477,10 @@ STATIC char * S_nextchar(pTHX_ struct RExC_state_t *pRExC_state)
+ #define PERL_ARGS_ASSERT_NEXTCHAR \
+ assert(pRExC_state)
+
++STATIC void S_rck_elide_nothing(pTHX_ regnode *node);
++#define PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING \
++ assert(node)
++
+ STATIC void S_re_croak2(pTHX_ const char* pat1, const char* pat2, ...)
+ __attribute__noreturn__
+ __attribute__nonnull__(pTHX_1)
+diff --git a/regcomp.c b/regcomp.c
+index 9842a83..aa96980 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -2967,6 +2967,43 @@ case N ## nAmE: \
+ break
+
+
++/* Follow the next-chain of the current node and optimize away
++ all the NOTHINGs from it.
++ */
++STATIC void
++S_rck_elide_nothing(pTHX_ regnode *node)
++{
++ dVAR;
++
++ PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING;
++
++ if (OP(node) != CURLYX) {
++ const int max = (reg_off_by_arg[OP(node)]
++ ? I32_MAX
++ /* I32 may be smaller than U16 on CRAYs! */
++ : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
++ int off = (reg_off_by_arg[OP(node)] ? ARG(node) : NEXT_OFF(node));
++ int noff;
++ regnode *n = node;
++
++ /* Skip NOTHING and LONGJMP. */
++ while (
++ (n = regnext(n))
++ && (
++ (PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
++ || ((OP(n) == LONGJMP) && (noff = ARG(n)))
++ )
++ && off + noff < max
++ ) {
++ off += noff;
++ }
++ if (reg_off_by_arg[OP(node)])
++ ARG(node) = off;
++ else
++ NEXT_OFF(node) = off;
++ }
++ return;
++}
+
+ STATIC I32
+ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+@@ -3034,27 +3071,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+
+
+ /* Follow the next-chain of the current node and optimize
+- away all the NOTHINGs from it. */
+- if (OP(scan) != CURLYX) {
+- const int max = (reg_off_by_arg[OP(scan)]
+- ? I32_MAX
+- /* I32 may be smaller than U16 on CRAYs! */
+- : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
+- int off = (reg_off_by_arg[OP(scan)] ? ARG(scan) : NEXT_OFF(scan));
+- int noff;
+- regnode *n = scan;
+-
+- /* Skip NOTHING and LONGJMP. */
+- while ((n = regnext(n))
+- && ((PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
+- || ((OP(n) == LONGJMP) && (noff = ARG(n))))
+- && off + noff < max)
+- off += noff;
+- if (reg_off_by_arg[OP(scan)])
+- ARG(scan) = off;
+- else
+- NEXT_OFF(scan) = off;
+- }
++ away all the NOTHINGs from it.
++ */
++ rck_elide_nothing(scan);
+
+
+
+@@ -4057,11 +4094,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ if (data && (fl & SF_HAS_EVAL))
+ data->flags |= SF_HAS_EVAL;
+ optimize_curly_tail:
+- if (OP(oscan) != CURLYX) {
+- while (PL_regkind[OP(next = regnext(oscan))] == NOTHING
+- && NEXT_OFF(next))
+- NEXT_OFF(oscan) += NEXT_OFF(next);
+- }
++ rck_elide_nothing(oscan);
+ continue;
+ default: /* REF, ANYOFV, and CLUMP only? */
+ if (flags & SCF_DO_SUBSTR) {
+--
+2.25.4
+
diff --git a/SOURCES/perl-5.16.3-CVE-2020-12723.patch b/SOURCES/perl-5.16.3-CVE-2020-12723.patch
new file mode 100644
index 0000000..8354da5
--- /dev/null
+++ b/SOURCES/perl-5.16.3-CVE-2020-12723.patch
@@ -0,0 +1,270 @@
+From d6f7a97d2c1dfcedd728d8b2ac1a07e953922950 Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <hv@crypt.org>
+Date: Fri, 18 Dec 2020 14:55:16 +0100
+Subject: [PATCH] study_chunk: avoid mutating regexp program within GOSUB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+gh16947 and gh17743: studying GOSUB may restudy in an inner call
+(via a mix of recursion and enframing) something that an outer call
+is in the middle of looking at. Let the outer frame deal with it.
+
+(CVE-2020-12723)
+
+Jitka Plesnikova, Petr Pisar: Ported from
+3f4ba871d2d397dcd4386ed75e05353c36135c29 to 5.16.3.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ embed.fnc | 2 +-
+ embed.h | 2 +-
+ proto.h | 2 +-
+ regcomp.c | 42 ++++++++++++++++++++++++++++++------------
+ t/re/pat.t | 26 +++++++++++++++++++++++++-
+ 5 files changed, 58 insertions(+), 16 deletions(-)
+
+diff --git a/embed.fnc b/embed.fnc
+index 9546555..019afa9 100644
+--- a/embed.fnc
++++ b/embed.fnc
+@@ -1951,7 +1951,7 @@ Es |I32 |study_chunk |NN struct RExC_state_t *pRExC_state \
+ |NULLOK struct scan_data_t *data \
+ |I32 stopparen|NULLOK U8* recursed \
+ |NULLOK struct regnode_charclass_class *and_withp \
+- |U32 flags|U32 depth
++ |U32 flags|U32 depth|bool was_mutate_ok
+ EsRn |U32 |add_data |NN struct RExC_state_t *pRExC_state|U32 n \
+ |NN const char *s
+ rs |void |re_croak2 |NN const char* pat1|NN const char* pat2|...
+diff --git a/embed.h b/embed.h
+index f7db1e0..75f326e 100644
+--- a/embed.h
++++ b/embed.h
+@@ -952,7 +952,7 @@
+ #define scan_commit(a,b,c,d) S_scan_commit(aTHX_ a,b,c,d)
+ #define set_regclass_bit(a,b,c,d,e) S_set_regclass_bit(aTHX_ a,b,c,d,e)
+ #define set_regclass_bit_fold(a,b,c,d,e) S_set_regclass_bit_fold(aTHX_ a,b,c,d,e)
+-#define study_chunk(a,b,c,d,e,f,g,h,i,j,k) S_study_chunk(aTHX_ a,b,c,d,e,f,g,h,i,j,k)
++#define study_chunk(a,b,c,d,e,f,g,h,i,j,k,l) S_study_chunk(aTHX_ a,b,c,d,e,f,g,h,i,j,k,l)
+ # endif
+ # if defined(PERL_IN_REGCOMP_C) || defined(PERL_IN_REGEXEC_C) || defined(PERL_IN_UTF8_C)
+ #define _core_swash_init(a,b,c,d,e,f,g,h) Perl__core_swash_init(aTHX_ a,b,c,d,e,f,g,h)
+diff --git a/proto.h b/proto.h
+index 143eee0..1b2ece6 100644
+--- a/proto.h
++++ b/proto.h
+@@ -6597,7 +6597,7 @@ STATIC U8 S_set_regclass_bit_fold(pTHX_ struct RExC_state_t *pRExC_state, regnod
+ #define PERL_ARGS_ASSERT_SET_REGCLASS_BIT_FOLD \
+ assert(pRExC_state); assert(node); assert(invlist_ptr); assert(alternate_ptr)
+
+-STATIC I32 S_study_chunk(pTHX_ struct RExC_state_t *pRExC_state, regnode **scanp, I32 *minlenp, I32 *deltap, regnode *last, struct scan_data_t *data, I32 stopparen, U8* recursed, struct regnode_charclass_class *and_withp, U32 flags, U32 depth)
++STATIC I32 S_study_chunk(pTHX_ struct RExC_state_t *pRExC_state, regnode **scanp, I32 *minlenp, I32 *deltap, regnode *last, struct scan_data_t *data, I32 stopparen, U8* recursed, struct regnode_charclass_class *and_withp, U32 flags, U32 depth, bool was_mutate_ok)
+ __attribute__nonnull__(pTHX_1)
+ __attribute__nonnull__(pTHX_2)
+ __attribute__nonnull__(pTHX_3)
+diff --git a/regcomp.c b/regcomp.c
+index 2254159..57505f3 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -2934,6 +2934,7 @@ typedef struct scan_frame {
+ regnode *next; /* next node to process when last is reached */
+ struct scan_frame *prev; /*previous frame*/
+ I32 stop; /* what stopparen do we use */
++ bool in_gosub; /* this or an outer frame is for GOSUB */
+ } scan_frame;
+
+
+@@ -2975,7 +2976,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ I32 stopparen,
+ U8* recursed,
+ struct regnode_charclass_class *and_withp,
+- U32 flags, U32 depth)
++ U32 flags, U32 depth, bool was_mutate_ok)
+ /* scanp: Start here (read-write). */
+ /* deltap: Write maxlen-minlen here. */
+ /* last: Stop before this one. */
+@@ -3016,6 +3017,11 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ length to get a real minimum (because the
+ folded version may be shorter) */
+ bool has_exactf_sharp_s = FALSE;
++ /* avoid mutating ops if we are anywhere within the recursed or
++ * enframed handling for a GOSUB: the outermost level will handle it.
++ */
++ bool mutate_ok = was_mutate_ok && !(frame && frame->in_gosub);
++
+ /* Peephole optimizer: */
+ DEBUG_STUDYDATA("Peep:", data,depth);
+ DEBUG_PEEP("Peep",scan,depth);
+@@ -3023,7 +3029,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ /* Its not clear to khw or hv why this is done here, and not in the
+ * clauses that deal with EXACT nodes. khw's guess is that it's
+ * because of a previous design */
+- JOIN_EXACT(scan,&min_subtract, &has_exactf_sharp_s, 0);
++ if (mutate_ok)
++ JOIN_EXACT(scan,&min_subtract, &has_exactf_sharp_s, 0);
++
+
+ /* Follow the next-chain of the current node and optimize
+ away all the NOTHINGs from it. */
+@@ -3100,7 +3108,8 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ /* we suppose the run is continuous, last=next...*/
+ minnext = study_chunk(pRExC_state, &scan, minlenp, &deltanext,
+ next, &data_fake,
+- stopparen, recursed, NULL, f,depth+1);
++ stopparen, recursed, NULL, f,depth+1,
++ mutate_ok);
+ if (min1 > minnext)
+ min1 = minnext;
+ if (max1 < minnext + deltanext)
+@@ -3161,7 +3170,10 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ }
+ }
+
+- if (PERL_ENABLE_TRIE_OPTIMISATION && OP( startbranch ) == BRANCH ) {
++ if (PERL_ENABLE_TRIE_OPTIMISATION
++ && OP( startbranch ) == BRANCH
++ && mutate_ok) {
++
+ /* demq.
+
+ Assuming this was/is a branch we are dealing with: 'scan' now
+@@ -3481,6 +3493,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ newframe->last = last;
+ newframe->stop = stopparen;
+ newframe->prev = frame;
++ newframe->in_gosub = (
++ (frame && frame->in_gosub) || (OP(scan) == GOSUB || OP(scan) == GOSTART)
++ );
+
+ frame = newframe;
+ scan = start;
+@@ -3792,7 +3807,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ minnext = study_chunk(pRExC_state, &scan, minlenp, &deltanext,
+ last, data, stopparen, recursed, NULL,
+ (mincount == 0
+- ? (f & ~SCF_DO_SUBSTR) : f),depth+1);
++ ? (f & ~SCF_DO_SUBSTR) : f),depth+1,mutate_ok);
+
+ if (flags & SCF_DO_STCLASS)
+ data->start_class = oclass;
+@@ -3844,7 +3859,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ if ( OP(oscan) == CURLYX && data
+ && data->flags & SF_IN_PAR
+ && !(data->flags & SF_HAS_EVAL)
+- && !deltanext && minnext == 1 ) {
++ && !deltanext && minnext == 1
++ && mutate_ok
++ ) {
+ /* Try to optimize to CURLYN. */
+ regnode *nxt = NEXTOPER(oscan) + EXTRA_STEP_2ARGS;
+ regnode * const nxt1 = nxt;
+@@ -3890,6 +3907,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ && !(data->flags & SF_HAS_EVAL)
+ && !deltanext /* atom is fixed width */
+ && minnext != 0 /* CURLYM can't handle zero width */
++ && mutate_ok
+ ) {
+ /* XXXX How to optimize if data == 0? */
+ /* Optimize to a simpler form. */
+@@ -3936,7 +3954,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ #endif
+ /* Optimize again: */
+ study_chunk(pRExC_state, &nxt1, minlenp, &deltanext, nxt,
+- NULL, stopparen, recursed, NULL, 0,depth+1);
++ NULL, stopparen, recursed, NULL, 0,depth+1,mutate_ok);
+ }
+ else
+ oscan->flags = 0;
+@@ -4376,7 +4394,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ next = regnext(scan);
+ nscan = NEXTOPER(NEXTOPER(scan));
+ minnext = study_chunk(pRExC_state, &nscan, minlenp, &deltanext,
+- last, &data_fake, stopparen, recursed, NULL, f, depth+1);
++ last, &data_fake, stopparen, recursed, NULL, f, depth+1,mutate_ok);
+ if (scan->flags) {
+ if (deltanext) {
+ FAIL("Variable length lookbehind not implemented");
+@@ -4462,7 +4480,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ nscan = NEXTOPER(NEXTOPER(scan));
+
+ *minnextp = study_chunk(pRExC_state, &nscan, minnextp, &deltanext,
+- last, &data_fake, stopparen, recursed, NULL, f,depth+1);
++ last, &data_fake, stopparen, recursed, NULL, f,depth+1,mutate_ok);
+ if (scan->flags) {
+ if (deltanext) {
+ FAIL("Variable length lookbehind not implemented");
+@@ -4625,7 +4643,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ */
+ minnext = study_chunk(pRExC_state, &scan, minlenp,
+ &deltanext, (regnode *)nextbranch, &data_fake,
+- stopparen, recursed, NULL, f,depth+1);
++ stopparen, recursed, NULL, f,depth+1,mutate_ok);
+ }
+ if (nextbranch && PL_regkind[OP(nextbranch)]==BRANCH)
+ nextbranch= regnext((regnode*)nextbranch);
+@@ -5442,7 +5460,7 @@ reStudy:
+
+ minlen = study_chunk(pRExC_state, &first, &minlen, &fake, scan + RExC_size, /* Up to end */
+ &data, -1, NULL, NULL,
+- SCF_DO_SUBSTR | SCF_WHILEM_VISITED_POS | stclass_flag,0);
++ SCF_DO_SUBSTR | SCF_WHILEM_VISITED_POS | stclass_flag,0,TRUE);
+
+
+ CHECK_RESTUDY_GOTO;
+@@ -5627,7 +5645,7 @@ reStudy:
+
+
+ minlen = study_chunk(pRExC_state, &scan, &minlen, &fake, scan + RExC_size,
+- &data, -1, NULL, NULL, SCF_DO_STCLASS_AND|SCF_WHILEM_VISITED_POS,0);
++ &data, -1, NULL, NULL, SCF_DO_STCLASS_AND|SCF_WHILEM_VISITED_POS,0,TRUE);
+
+ CHECK_RESTUDY_GOTO;
+
+diff --git a/t/re/pat.t b/t/re/pat.t
+index faddbc5..e328fbd 100644
+--- a/t/re/pat.t
++++ b/t/re/pat.t
+@@ -19,7 +19,7 @@ BEGIN {
+ require './test.pl';
+ }
+
+-plan tests => 472; # Update this when adding/deleting tests.
++plan tests => 476; # Update this when adding/deleting tests.
+
+ run_tests() unless caller;
+
+@@ -1260,6 +1260,30 @@ EOP
+ use re '/aa';
+ unlike 'k', qr/(?i:\N{KELVIN SIGN})/, "(?i: shouldn't lose the passed in /aa";
+ }
++ # gh16947: test regexp corruption (GOSUB)
++ {
++ fresh_perl_is(q{
++ 'xy' =~ /x(?0)|x(?|y|y)/ && print 'ok'
++ }, 'ok', {}, 'gh16947: test regexp corruption (GOSUB)');
++ }
++ # gh16947: test fix doesn't break SUSPEND
++ {
++ fresh_perl_is(q{ 'sx' =~ m{ss++}i; print 'ok' },
++ 'ok', {}, "gh16947: test fix doesn't break SUSPEND");
++ }
++
++ # gh17743: more regexp corruption via GOSUB
++ {
++ fresh_perl_is(q{
++ "0" =~ /((0(?0)|000(?|0000|0000)(?0))|)/; print "ok"
++ }, 'ok', {}, 'gh17743: test regexp corruption (1)');
++
++ fresh_perl_is(q{
++ "000000000000" =~ /(0(())(0((?0)())|000(?|\x{ef}\x{bf}\x{bd}|\x{ef}\x{bf}\x{bd}))|)/;
++ print "ok"
++ }, 'ok', {}, 'gh17743: test regexp corruption (2)');
++ }
++
+ } # End of sub run_tests
+
+ 1;
+--
+2.26.2
+
diff --git a/SPECS/perl.spec b/SPECS/perl.spec
index f21be92..38026bc 100644
--- a/SPECS/perl.spec
+++ b/SPECS/perl.spec
@@ -31,7 +31,7 @@
Name: perl
Version: %{perl_version}
# release number must be even higher, because dual-lived modules will be broken otherwise
-Release: 297%{?dist}
+Release: 299%{?dist}
Epoch: %{perl_epoch}
Summary: Practical Extraction and Report Language
Group: Development/Languages
@@ -190,6 +190,18 @@ Patch45: perl-5.19.4-Fix-day-of-year-parsing.patch
# in upstream after 5.29.1, in dual-life package after 1.26
Patch46: perl-5.16.3-RT-124787-Fix-Time-Local-tests.patch
+# Fix CVE-2020-12723, bug #1839278, GH#16947, fixed in upstream 5.28.3, ported from
+# upstream 3f4ba871d2d397dcd4386ed75e05353c36135c29.
+Patch47: perl-5.16.3-CVE-2020-12723.patch
+
+# Fix CVE-2020-10543, bug #1839272, fixed in upstream 5.28.3, ported from
+# upstream 1aef74e6bc0269fcd6ad7669fcd58488ffaf736f.
+Patch48: perl-5.16.3-CVE-2020-10543.patch
+
+# Fix CVE-2020-10878, bug #1839275, fixed in upstream 5.28.3, ported from
+# upstream 011cd8913d3a230b8d30b156b848585c7c4c1597.
+Patch49: perl-5.16.3-CVE-2020-10878.patch
+
# Update some of the bundled modules
# see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
@@ -1995,6 +2007,9 @@ tarball from perl.org.
%patch44 -p1
%patch45 -p1
%patch46 -p1
+%patch47 -p1
+%patch48 -p1
+%patch49 -p1
%if !%{defined perl_bootstrap}
# Local patch tracking
@@ -2042,6 +2057,9 @@ perl -x patchlevel.h \
'RHEL Patch43: Fix CVE-2018-18311 Integer overflow leading to buffer overflow' \
'RHEL Patch44: Fix a spurious timeout in Net::FTP::close (CPAN RT#18504)' \
'RHEL Patch45: Fix day of year parsing (CPAN RT#88211)' \
+ 'RHEL Patch47: Fix CVE-2020-12723 (GH#16947)' \
+ 'RHEL Patch48: Fix CVE-2020-10543' \
+ 'RHEL Patch49: Fix CVE-2020-10878' \
%{nil}
%endif
@@ -3724,6 +3742,13 @@ sed \
# Old changelog entries are preserved in CVS.
%changelog
+* Thu Jan 07 2021 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.16.3-299
+- Fix CVE-2020-10543 (bug #1839272)
+- Fix CVE-2020-10878 (bug #1839275)
+
+* Fri Dec 18 2020 Petr Pisar <ppisar@redhat.com> - 4:5.16.3-298
+- Fix CVE-2020-12723 (bug #1839278)
+
* Mon Feb 24 2020 Petr Pisar <ppisar@redhat.com> - 4:5.16.3-297
- Fix a file mode of a perl-example.stp example (bug #1806523)