oss-sec mailing list archives
Re: CVE-2006-10002: XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 22 Mar 2026 22:06:00 +0100
Hi, On Thu, Mar 19, 2026 at 08:06:17AM -0300, Timothy Legge wrote:
========================================================================
CVE-2006-10002 CPAN Security Group
========================================================================
CVE ID: CVE-2006-10002
Distribution: XML-Parser
Versions: through 2.47
MetaCPAN: https://metacpan.org/dist/XML-Parser
VCS Repo: http://github.com/toddr/XML-Parser
XML::Parser versions through 2.47 for Perl could overflow the
pre-allocated buffer size cause a heap corruption (double free or
corruption) and crashes
Description
-----------
XML::Parser versions through 2.47 for Perl could overflow the
pre-allocated buffer size cause a heap corruption (double free or
corruption) and crashes.
A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML
input buffer because Perl's read() returns decoded characters while
SvPV() gives back multi-byte UTF-8 bytes that can exceed the
pre-allocated buffer size. This can cause heap corruption (double free
or corruption) and crashes.
Problem types
-------------
- CWE-122 Heap-based Buffer Overflow
- CWE-176 Improper Handling of Unicode Encoding
Workarounds
-----------
Apply the patch that has been publicly available since 2006-06-13.
Solutions
---------
Apply the patch that has been publicly available since 2006-06-13 or
upgrade to version 2.48 or later when it is released.
References
----------
https://rt.cpan.org/Ticket/Display.html?id=19859
https://github.com/cpan-authors/XML-Parser/issues/64
https://github.com/cpan-authors/XML-Parser/commit/6b291f4d260fc124a6ec80382b87a918f372bc6b.patch
Timeline
--------
- 2006-06-13: Issue logged in Request Tracker for XML::Parser
- 2006-08-11: Patch provided in Request Tracker for XML::Parser
- 2019-09-24: Issue migrated to github issue tracker
- 2019-09-24: Patch provided in github issue tracker
- 2026-03-16: PR created and commit merged to git repo
An update on this one, it was later assessed that this was fixed earlier already in 2.45, with https://github.com/cpan-authors/XML-Parser/commit/56b0509dfc6b559cd7555ea81ee62e3622069255 (so the CVE record got update, thanks Timothy). Regards, Salvatore
Current thread:
- CVE-2006-10002: XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes Timothy Legge (Mar 19)
- Re: CVE-2006-10002: XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes Salvatore Bonaccorso (Mar 22)