========================================================================
CVE-2006-10002                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2006-10002
   Distribution:  XML-Parser
       Versions:  through 2.47

       MetaCPAN:  https://metacpan.org/dist/XML-Parser
       VCS Repo:  http://github.com/toddr/XML-Parser

XML::Parser versions through 2.47 for Perl could overflow the
pre-allocated buffer size cause a heap corruption (double free or
corruption) and crashes

Description
-----------
XML::Parser versions through 2.47 for Perl could overflow the
pre-allocated buffer size cause a heap corruption (double free or
corruption) and crashes.

A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML
input buffer because Perl's read() returns decoded characters while
SvPV() gives back multi-byte UTF-8 bytes that can exceed the
pre-allocated buffer size. This can cause heap corruption (double free
or corruption) and crashes.

Problem types
-------------
- CWE-122 Heap-based Buffer Overflow
- CWE-176 Improper Handling of Unicode Encoding

Workarounds
-----------
Apply the patch that has been publicly available since 2006-06-13.

Solutions
---------
Apply the patch that has been publicly available since 2006-06-13 or
upgrade to version 2.48 or later when it is released.

References
----------
https://rt.cpan.org/Ticket/Display.html?id=19859
https://github.com/cpan-authors/XML-Parser/issues/64
https://github.com/cpan-authors/XML-Parser/commit/6b291f4d260fc124a6ec80382b87a918f372bc6b.patch

Timeline
--------
- 2006-06-13: Issue logged in Request Tracker for XML::Parser
- 2006-08-11: Patch provided in Request Tracker for XML::Parser
- 2019-09-24: Issue migrated to github issue tracker
- 2019-09-24: Patch provided in github issue tracker
- 2026-03-16: PR created and commit merged to git repo