Hi, On Thu, Mar 19, 2026 at 08:06:17AM -0300, Timothy Legge wrote: > ======================================================================== > CVE-2006-10002 CPAN Security Group > ======================================================================== > > CVE ID: CVE-2006-10002 > Distribution: XML-Parser > Versions: through 2.47 > > MetaCPAN: https://metacpan.org/dist/XML-Parser > VCS Repo: http://github.com/toddr/XML-Parser > > > XML::Parser versions through 2.47 for Perl could overflow the > pre-allocated buffer size cause a heap corruption (double free or > corruption) and crashes > > Description > ----------- > XML::Parser versions through 2.47 for Perl could overflow the > pre-allocated buffer size cause a heap corruption (double free or > corruption) and crashes. > > A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML > input buffer because Perl's read() returns decoded characters while > SvPV() gives back multi-byte UTF-8 bytes that can exceed the > pre-allocated buffer size. This can cause heap corruption (double free > or corruption) and crashes. > > Problem types > ------------- > - CWE-122 Heap-based Buffer Overflow > - CWE-176 Improper Handling of Unicode Encoding > > Workarounds > ----------- > Apply the patch that has been publicly available since 2006-06-13. > > > Solutions > --------- > Apply the patch that has been publicly available since 2006-06-13 or > upgrade to version 2.48 or later when it is released. > > > References > ---------- > https://rt.cpan.org/Ticket/Display.html?id=19859 > https://github.com/cpan-authors/XML-Parser/issues/64 > https://github.com/cpan-authors/XML-Parser/commit/6b291f4d260fc124a6ec80382b87a918f372bc6b.patch > > Timeline > -------- > - 2006-06-13: Issue logged in Request Tracker for XML::Parser > - 2006-08-11: Patch provided in Request Tracker for XML::Parser > - 2019-09-24: Issue migrated to github issue tracker > - 2019-09-24: Patch provided in github issue tracker > - 2026-03-16: PR created and commit merged to git repo
An update on this one, it was later assessed that this was fixed earlier already in 2.45, with https://github.com/cpan-authors/XML-Parser/commit/56b0509dfc6b559cd7555ea81ee62e3622069255 (so the CVE record got update, thanks Timothy). Regards, Salvatore
