Perl interface to the libxml2 library
Backport upstream commit 059abf5f9336e to fix CVE-2026-8177,
an out-of-bounds heap read caused by the hand-rolled UTF-8
parser in domParseChar(). The patch removes domParseChar()
from dom.c/dom.h and replaces the custom name validation in
LibXML_test_node_name() (LibXML.xs) with libxml2's
xmlValidateName(), which correctly handles truncated and
malformed UTF-8 sequences. A new regression test
(t/48_security_oob_utf8_gh146.t) with 65 test cases is
included to verify the fix across multiple DOM entry points.
CVE: CVE-2026-8177
Upstream patches:
-
|
||
|---|---|---|
| .gitignore | ||
| perl-XML-LibXML-2.0132-CVE-2026-8177.patch | ||
| perl-XML-LibXML.spec | ||
| sources | ||