rpms/perl-XML-Parser
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c10
rpms:c9s
rpms:c10s
rpms:c8s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c9/perl-XML-Parser-2.46-9.1.el9_7
rpms:imports/c10/perl-XML-Parser-2.47-6.1.el10_1
rpms:imports/c8/perl-XML-Parser-2.44-12.el8_10
rpms:imports/c10s/perl-XML-Parser-2.47-7.el10
rpms:imports/c10s/perl-XML-Parser-2.47-6.el10
rpms:imports/c10s/perl-XML-Parser-2.47-5.el10
rpms:imports/c10s/perl-XML-Parser-2.47-4.el10
rpms:imports/c9/perl-XML-Parser-2.46-9.el9
rpms:imports/c9-beta/perl-XML-Parser-2.46-9.el9
rpms:imports/c8-beta/perl-XML-Parser-2.44-11.el8
rpms:imports/c8/perl-XML-Parser-2.44-11.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9
rpms:c10
rpms:c8
rpms:c9s
rpms:c10s
rpms:c8s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c9/perl-XML-Parser-2.46-9.1.el9_7
rpms:imports/c10/perl-XML-Parser-2.47-6.1.el10_1
rpms:imports/c8/perl-XML-Parser-2.44-12.el8_10
rpms:imports/c10s/perl-XML-Parser-2.47-7.el10
rpms:imports/c10s/perl-XML-Parser-2.47-6.el10
rpms:imports/c10s/perl-XML-Parser-2.47-5.el10
rpms:imports/c10s/perl-XML-Parser-2.47-4.el10
rpms:imports/c9/perl-XML-Parser-2.46-9.el9
rpms:imports/c9-beta/perl-XML-Parser-2.46-9.el9
rpms:imports/c8-beta/perl-XML-Parser-2.44-11.el8
rpms:imports/c8/perl-XML-Parser-2.44-11.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

6 changed files with 80 additions and 279 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/XML-Parser-2.44.tar.gz
SOURCES/XML-Parser-2.46.tar.gz

2
.perl-XML-Parser.metadata
View File

@ -1 +1 @@
0ab6b932713ec1f9927a1b1c619b6889a5c12849 SOURCES/XML-Parser-2.44.tar.gz
40cba8a10847b71804684e5c72a410277f47f8ce SOURCES/XML-Parser-2.46.tar.gz

64
SOURCES/XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch
View File

@ -1,64 +0,0 @@
From 53e71571fc0b1f8dbad5f7ff6e9eeeb233496c13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 13 Dec 2018 13:05:07 +0100
Subject: [PATCH] Fix a buffer overwrite in parse_stream()
The parse_stream() function allocates BUFSIZE-byte long output buffer. Then it
reads a string using PerlIO's read() with a maximal string length tsiz=BUFSIZE
characters into a temporary buffer. And then it retrieves a length of the string
in the temporary buffer in bytes and copies the strings from the temporary
buffer to the output buffer.
While it works for byte-stream file handles, when using UTF-8 handles, length
in bytes can be greater than length in characters, thus the temporary buffer
can contain more bytes than the size of the output buffer and we have a buffer
overwrite. This corrupts memory, especially metadata for libc memory
management and subsequent free() aborts with "free(): invalid next size
(normal)".
Minimal reproducer: Execute this code with an UTF-8 encoded file with non-ASCII
charcters on the standard input:
use XML::XPath;
use open ':std', ':encoding(UTF-8)';
my $xpath = XML::XPath->new(ioref => \*STDIN);
$xpath->find('/');
https://bugzilla.redhat.com/show_bug.cgi?id=1473368
https://bugzilla.redhat.com/show_bug.cgi?id=1658512
---
Expat/Expat.xs | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/Expat/Expat.xs b/Expat/Expat.xs
index ed66531..dbad380 100644
--- a/Expat/Expat.xs
+++ b/Expat/Expat.xs
@@ -343,8 +343,8 @@ parse_stream(XML_Parser parser, SV * ioref)
}
else {
tbuff = newSV(0);
- tsiz = newSViv(BUFSIZE);
- buffsize = BUFSIZE;
+ tsiz = newSViv(BUFSIZE); /* in UTF-8 characters */
+ buffsize = BUFSIZE * 6; /* in bytes that encode an UTF-8 string */
}
while (! done)
@@ -386,9 +386,11 @@ parse_stream(XML_Parser parser, SV * ioref)
croak("read error");
tb = SvPV(tbuff, br);
- if (br > 0)
+ if (br > 0) {
+ if (br > buffsize)
+ croak("The input buffer is not large enough for read UTF-8 decoded string");
Copy(tb, buffer, br, char);
- else
+ } else
done = 1;
PUTBACK ;
--
2.18.1

106
SOURCES/XML-Parser-2.48-CVE-2006-10002.patch
View File

@ -1,106 +0,0 @@
From 5361c2b7f48599718cdecbe50c5fdd88b28ffd79 Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Mon, 16 Mar 2026 20:55:31 +0000
Subject: [PATCH] Fix buffer overflow in parse_stream when filehandle has :utf8
layer
When a filehandle has a :utf8 PerlIO layer, Perl's read() returns
decoded characters, but SvPV() gives back the UTF-8 byte
representation which can be larger than the pre-allocated XML buffer.
Previously this caused heap corruption (double free / buffer overflow),
and a later workaround (BUFSIZE * 6 + croak) prevented the corruption
but still crashed.
Fix by re-obtaining the expat buffer at the actual byte size when the
read produces more bytes than initially allocated. This handles UTF-8
streams gracefully without wasting memory on an oversized buffer.
Fixes https://github.com/cpan-authors/XML-Parser/issues/64
(migrated from rt.cpan.org #19859)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
Expat/Expat.xs | 15 +++++++++++----
t/utf8_stream.t | 40 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 4 deletions(-)
create mode 100644 t/utf8_stream.t
diff --git a/Expat/Expat.xs b/Expat/Expat.xs
index 32fdce5..3cd1154 100644
--- a/Expat/Expat.xs
+++ b/Expat/Expat.xs
@@ -343,8 +343,8 @@ parse_stream(XML_Parser parser, SV * ioref)
}
else {
tbuff = newSV(0);
- tsiz = newSViv(BUFSIZE); /* in UTF-8 characters */
- buffsize = BUFSIZE * 6; /* in bytes that encode an UTF-8 string */
+ tsiz = newSViv(BUFSIZE);
+ buffsize = BUFSIZE;
}
while (! done)
@@ -387,8 +387,15 @@ parse_stream(XML_Parser parser, SV * ioref)
tb = SvPV(tbuff, br);
if (br > 0) {
- if (br > buffsize)
- croak("The input buffer is not large enough for read UTF-8 decoded string");
+ if (br > buffsize) {
+ /* The byte count from SvPV can exceed buffsize when the
+ filehandle has a :utf8 layer, since Perl reads buffsize
+ characters but multi-byte UTF-8 chars produce more bytes.
+ Re-obtain the buffer at the required size. */
+ buffer = XML_GetBuffer(parser, br);
+ if (! buffer)
+ croak("Ran out of memory for input buffer");
+ }
Copy(tb, buffer, br, char);
} else
done = 1;
diff --git a/t/utf8_stream.t b/t/utf8_stream.t
new file mode 100644
index 0000000..a7e55f7
--- /dev/null
+++ b/t/utf8_stream.t
@@ -0,0 +1,40 @@
+BEGIN { print "1..2\n"; }
+END { print "not ok 1\n" unless $loaded; }
+use XML::Parser;
+$loaded = 1;
+print "ok 1\n";
+
+################################################################
+# Test parsing from a filehandle with :utf8 layer
+# Regression test for rt.cpan.org #19859 / GitHub issue #64
+# A UTF-8 stream caused buffer overflow because SvPV byte count
+# could exceed the pre-allocated XML_GetBuffer size.
+
+use File::Temp qw(tempfile);
+
+# Create a temp file with UTF-8 XML content containing multi-byte chars
+my ($fh, $tmpfile) = tempfile(UNLINK => 1);
+binmode($fh, ':raw');
+# Write raw UTF-8 bytes: XML with Chinese characters (3 bytes each in UTF-8)
+# U+4E16 U+754C (世界 = "world") repeated to create substantial multi-byte content
+my $body = "\xe4\xb8\x96\xe7\x95\x8c" x 20000; # 120000 bytes / 40000 chars of 3-byte UTF-8
+print $fh qq(<?xml version="1.0" encoding="UTF-8"?>\n<doc>$body</doc>\n);
+close($fh);
+
+my $text = '';
+my $parser = XML::Parser->new(
+ Handlers => {
+ Char => sub { $text .= $_[1]; },
+ }
+);
+
+# Open with :utf8 layer - this is what triggers the bug
+open(my $in, '<:utf8', $tmpfile) or die "Cannot open $tmpfile: $!";
+eval { $parser->parse($in); };
+close($in);
+
+if ($@ eq '' && length($text) > 0) {
+ print "ok 2\n";
+} else {
+ print "not ok 2 # $@\n";
+}

66
SOURCES/XML-Parser-2.48-CVE-2006-10003.patch
View File

@ -1,66 +0,0 @@
From 08dd37c35ec5e64e26aacb8514437f54708f7fd1 Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Mon, 16 Mar 2026 22:16:11 +0000
Subject: [PATCH] fix: off-by-one heap buffer overflow in st_serial_stack
growth check
When st_serial_stackptr == st_serial_stacksize - 1, the old check
(stackptr >= stacksize) would not trigger reallocation. The subsequent
++stackptr then writes at index stacksize, one element past the
allocated buffer.
Fix by checking stackptr + 1 >= stacksize so the buffer is grown
before the pre-increment write.
Add a deep nesting test (600 levels) to exercise this code path.
Fixes #39
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
Expat/Expat.xs | 2 +-
t/deep_nesting.t | 22 ++++++++++++++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
create mode 100644 t/deep_nesting.t
diff --git a/Expat/Expat.xs b/Expat/Expat.xs
index 5f9b193..0226a24 100644
--- a/Expat/Expat.xs
+++ b/Expat/Expat.xs
@@ -514,7 +514,7 @@ startElement(void *userData, const char *name, const char **atts)
}
}
- if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
+ if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) {
unsigned int newsize = cbv->st_serial_stacksize + 512;
Renew(cbv->st_serial_stack, newsize, unsigned int);
diff --git a/t/deep_nesting.t b/t/deep_nesting.t
new file mode 100644
index 0000000..8237b5f
--- /dev/null
+++ b/t/deep_nesting.t
@@ -0,0 +1,22 @@
+BEGIN { print "1..1\n"; }
+
+# Test for deeply nested elements to exercise st_serial_stack reallocation.
+# This catches off-by-one errors in the stack growth check (GH #39).
+
+use XML::Parser;
+
+my $depth = 600;
+
+my $xml = '';
+for my $i (1 .. $depth) {
+ $xml .= "<e$i>";
+}
+for my $i (reverse 1 .. $depth) {
+ $xml .= "</e$i>";
+}
+
+my $p = XML::Parser->new;
+eval { $p->parse($xml) };
+
+print "not " if $@;
+print "ok 1\n";

119
SPECS/perl-XML-Parser.spec
View File

@ -1,48 +1,46 @@
Name: perl-XML-Parser
Version: 2.44
Release: 12%{?dist}
Version: 2.46
Release: 9%{?dist}
Summary: Perl module for parsing XML documents
Group: Development/Libraries
License: GPL+ or Artistic
Url: http://search.cpan.org/dist/XML-Parser/
Source0: http://search.cpan.org/CPAN/authors/id/T/TO/TODDR/XML-Parser-%{version}.tar.gz
# Fix a buffer overwrite in parse_stream() with wide characters on the standard
# input, bug #1658512, CPAN RT#128006
Patch0: XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch
# Fix buffer overflow in parse_stream when filehandle has :utf8
# CVE-2006-10002
Patch1: XML-Parser-2.48-CVE-2006-10002.patch
# Fix off-by-one heap buffer overflow in st_serial_stack growth check
# CVE-2006-10003
Patch2: XML-Parser-2.48-CVE-2006-10003.patch
Url: https://metacpan.org/release/XML-Parser
Source0: https://cpan.metacpan.org/authors/id/T/TO/TODDR/XML-Parser-%{version}.tar.gz
# Build
BuildRequires: coreutils
BuildRequires: expat-devel
BuildRequires: findutils
BuildRequires: gcc
BuildRequires: glibc-common
BuildRequires: make
BuildRequires: perl-devel
BuildRequires: perl-generators
BuildRequires: perl-interpreter
BuildRequires: perl(Carp)
BuildRequires: perl(Config)
BuildRequires: perl(Devel::CheckLib)
BuildRequires: perl(DynaLoader)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(English)
BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76
BuildRequires: perl(lib)
# Runtime
BuildRequires: perl(Carp)
BuildRequires: perl(FileHandle)
BuildRequires: perl(File::Temp)
BuildRequires: perl(File::Spec)
BuildRequires: perl(if)
BuildRequires: perl(IO::File)
BuildRequires: perl(IO::Handle)
BuildRequires: perl(lib)
# LWPExternEnt.pl script is loaded by Parser.pm
BuildRequires: perl(LWP::UserAgent)
BuildRequires: perl(overload)
BuildRequires: perl(strict)
BuildRequires: perl(Test)
BuildRequires: perl(Test::More)
BuildRequires: perl(vars)
BuildRequires: perl(warnings)
BuildRequires: expat-devel
# The script LWPExternEnt.pl is loaded by Parser.pm
BuildRequires: perl(LWP::UserAgent)
BuildRequires: perl(URI)
BuildRequires: perl(URI::file)
BuildRequires: perl(XSLoader)
# Tests
BuildRequires: perl(if)
BuildRequires: perl(Test)
BuildRequires: perl(Test::More)
BuildRequires: perl(warnings)
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
Requires: perl(IO::File)
Requires: perl(IO::Handle)
@ -64,30 +62,26 @@ creation time.
%prep
%setup -q -n XML-Parser-%{version}
%patch -P0 -p1
%patch -P1 -p1
%patch -P2 -p1
chmod 644 samples/{canonical,xml*}
perl -pi -e 's|^#!/usr/local/bin/perl\b|#!%{__perl}|' samples/{canonical,xml*}
perl -MConfig -pi -e 's|^#!/usr/local/bin/perl\b|$Config{startperl}|' samples/{canonical,xml*}
# Remove bundled library
rm -r inc
perl -i -ne 'print $_ unless m{^inc/}' MANIFEST
%build
CFLAGS="$RPM_OPT_FLAGS" perl Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags} OPTIMIZE="$RPM_OPT_FLAGS"
perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS"
%{make_build}
%install
make pure_install DESTDIR=$RPM_BUILD_ROOT
find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} ';'
find $RPM_BUILD_ROOT -type f -name '*.bs' -a -size 0 -exec rm -f {} ';'
chmod -R u+w $RPM_BUILD_ROOT/*
%{make_install}
find $RPM_BUILD_ROOT -type f -name '*.bs' -a -size 0 -delete
%{_fixperms} $RPM_BUILD_ROOT/*
for file in samples/REC-xml-19980210.xml; do
iconv -f iso-8859-1 -t utf-8 < "$file" > "${file}_"
mv -f "${file}_" "$file"
sed -i -e "s/encoding='ISO-8859-1'/encoding='UTF-8'/" "$file"
perl -i -pe "s/encoding='ISO-8859-1'/encoding='UTF-8'/" "$file"
done
%check
@ -101,12 +95,55 @@ make test
%changelog
* Thu Mar 26 2026 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-12
- Fix CVE-2006-10002, CVE-2006-10003
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.46-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Dec 13 2018 Petr Pisar <ppisar@redhat.com> - 2.44-11
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.46-8
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 21 2020 Petr Pisar <ppisar@redhat.com> - 2.46-5
- Modernize a spec file
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.46-4
- Perl 5.32 rebuild
* Tue Mar 10 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.46-3
- Specify all dependencies
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Sep 24 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.46-1
- 2.46 bump
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-16
- Perl 5.30 rebuild
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Dec 13 2018 Petr Pisar <ppisar@redhat.com> - 2.44-14
- Fix a buffer overwrite in parse_stream() with wide characters on the standard
input (bug #1658512)
input (bug #1473368)
* Mon Jul 23 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-13
- Specify all dependencies
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Jun 29 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-11
- Perl 5.28 rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild