.gitignore

@@ -1 +1 @@
-SOURCES/XML-Parser-2.44.tar.gz
+SOURCES/XML-Parser-2.46.tar.gz

.perl-XML-Parser.metadata

@@ -1 +1 @@
-0ab6b932713ec1f9927a1b1c619b6889a5c12849 SOURCES/XML-Parser-2.44.tar.gz
+40cba8a10847b71804684e5c72a410277f47f8ce SOURCES/XML-Parser-2.46.tar.gz

SOURCES/XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch

@@ -1,64 +0,0 @@
-From 53e71571fc0b1f8dbad5f7ff6e9eeeb233496c13 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Thu, 13 Dec 2018 13:05:07 +0100
-Subject: [PATCH] Fix a buffer overwrite in parse_stream()
-
-The parse_stream() function allocates BUFSIZE-byte long output buffer. Then it
-reads a string using PerlIO's read() with a maximal string length tsiz=BUFSIZE
-characters into a temporary buffer. And then it retrieves a length of the string
-in the temporary buffer in bytes and copies the strings from the temporary
-buffer to the output buffer.
-
-While it works for byte-stream file handles, when using UTF-8 handles, length
-in bytes can be greater than length in characters, thus the temporary buffer
-can contain more bytes than the size of the output buffer and we have a buffer
-overwrite. This corrupts memory, especially metadata for libc memory
-management and subsequent free() aborts with "free(): invalid next size
-(normal)".
-
-Minimal reproducer: Execute this code with an UTF-8 encoded file with non-ASCII
-charcters on the standard input:
-
-use XML::XPath;
-use open ':std', ':encoding(UTF-8)';
-my $xpath = XML::XPath->new(ioref => \*STDIN);
-$xpath->find('/');
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1473368
-https://bugzilla.redhat.com/show_bug.cgi?id=1658512
----
- Expat/Expat.xs | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/Expat/Expat.xs b/Expat/Expat.xs
-index ed66531..dbad380 100644
---- a/Expat/Expat.xs
-+++ b/Expat/Expat.xs
-@@ -343,8 +343,8 @@ parse_stream(XML_Parser parser, SV * ioref)
-   }
-   else {
-     tbuff = newSV(0);
--    tsiz = newSViv(BUFSIZE);
--    buffsize = BUFSIZE;
-+    tsiz = newSViv(BUFSIZE); /* in UTF-8 characters */
-+    buffsize = BUFSIZE * 6; /* in bytes that encode an UTF-8 string */
-   }
- 
-   while (! done)
-@@ -386,9 +386,11 @@ parse_stream(XML_Parser parser, SV * ioref)
- 	  croak("read error");
- 
- 	tb = SvPV(tbuff, br);
--	if (br > 0)
-+	if (br > 0) {
-+	  if (br > buffsize)
-+	    croak("The input buffer is not large enough for read UTF-8 decoded string");
- 	  Copy(tb, buffer, br, char);
--	else
-+	} else
- 	  done = 1;
- 
- 	PUTBACK ;
--- 
-2.18.1
-

SOURCES/XML-Parser-2.48-CVE-2006-10002.patch

@@ -1,106 +0,0 @@
-From 5361c2b7f48599718cdecbe50c5fdd88b28ffd79 Mon Sep 17 00:00:00 2001
-From: Toddr Bot <toddbot@rinaldo.us>
-Date: Mon, 16 Mar 2026 20:55:31 +0000
-Subject: [PATCH] Fix buffer overflow in parse_stream when filehandle has :utf8
- layer
-
-When a filehandle has a :utf8 PerlIO layer, Perl's read() returns
-decoded characters, but SvPV() gives back the UTF-8 byte
-representation which can be larger than the pre-allocated XML buffer.
-Previously this caused heap corruption (double free / buffer overflow),
-and a later workaround (BUFSIZE * 6 + croak) prevented the corruption
-but still crashed.
-
-Fix by re-obtaining the expat buffer at the actual byte size when the
-read produces more bytes than initially allocated. This handles UTF-8
-streams gracefully without wasting memory on an oversized buffer.
-
-Fixes https://github.com/cpan-authors/XML-Parser/issues/64
-(migrated from rt.cpan.org #19859)
-
-Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
----
- Expat/Expat.xs  | 15 +++++++++++----
- t/utf8_stream.t | 40 ++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 51 insertions(+), 4 deletions(-)
- create mode 100644 t/utf8_stream.t
-
-diff --git a/Expat/Expat.xs b/Expat/Expat.xs
-index 32fdce5..3cd1154 100644
---- a/Expat/Expat.xs
-+++ b/Expat/Expat.xs
-@@ -343,8 +343,8 @@ parse_stream(XML_Parser parser, SV * ioref)
-   }
-   else {
-     tbuff = newSV(0);
--    tsiz = newSViv(BUFSIZE); /* in UTF-8 characters */
--    buffsize = BUFSIZE * 6; /* in bytes that encode an UTF-8 string */
-+    tsiz = newSViv(BUFSIZE);
-+    buffsize = BUFSIZE;
-   }
- 
-   while (! done)
-@@ -387,8 +387,15 @@ parse_stream(XML_Parser parser, SV * ioref)
- 
- 	tb = SvPV(tbuff, br);
- 	if (br > 0) {
--	  if (br > buffsize)
--	    croak("The input buffer is not large enough for read UTF-8 decoded string");
-+	  if (br > buffsize) {
-+	    /* The byte count from SvPV can exceed buffsize when the
-+	       filehandle has a :utf8 layer, since Perl reads buffsize
-+	       characters but multi-byte UTF-8 chars produce more bytes.
-+	       Re-obtain the buffer at the required size. */
-+	    buffer = XML_GetBuffer(parser, br);
-+	    if (! buffer)
-+	      croak("Ran out of memory for input buffer");
-+	  }
- 	  Copy(tb, buffer, br, char);
- 	} else
- 	  done = 1;
-diff --git a/t/utf8_stream.t b/t/utf8_stream.t
-new file mode 100644
-index 0000000..a7e55f7
---- /dev/null
-+++ b/t/utf8_stream.t
-@@ -0,0 +1,40 @@
-+BEGIN { print "1..2\n"; }
-+END { print "not ok 1\n" unless $loaded; }
-+use XML::Parser;
-+$loaded = 1;
-+print "ok 1\n";
-+
-+################################################################
-+# Test parsing from a filehandle with :utf8 layer
-+# Regression test for rt.cpan.org #19859 / GitHub issue #64
-+# A UTF-8 stream caused buffer overflow because SvPV byte count
-+# could exceed the pre-allocated XML_GetBuffer size.
-+
-+use File::Temp qw(tempfile);
-+
-+# Create a temp file with UTF-8 XML content containing multi-byte chars
-+my ($fh, $tmpfile) = tempfile(UNLINK => 1);
-+binmode($fh, ':raw');
-+# Write raw UTF-8 bytes: XML with Chinese characters (3 bytes each in UTF-8)
-+# U+4E16 U+754C (世界 = "world") repeated to create substantial multi-byte content
-+my $body = "\xe4\xb8\x96\xe7\x95\x8c" x 20000;  # 120000 bytes / 40000 chars of 3-byte UTF-8
-+print $fh qq(<?xml version="1.0" encoding="UTF-8"?>\n<doc>$body</doc>\n);
-+close($fh);
-+
-+my $text = '';
-+my $parser = XML::Parser->new(
-+    Handlers => {
-+        Char => sub { $text .= $_[1]; },
-+    }
-+);
-+
-+# Open with :utf8 layer - this is what triggers the bug
-+open(my $in, '<:utf8', $tmpfile) or die "Cannot open $tmpfile: $!";
-+eval { $parser->parse($in); };
-+close($in);
-+
-+if ($@ eq '' && length($text) > 0) {
-+    print "ok 2\n";
-+} else {
-+    print "not ok 2 # $@\n";
-+}

SOURCES/XML-Parser-2.48-CVE-2006-10003.patch

@@ -1,66 +0,0 @@
-From 08dd37c35ec5e64e26aacb8514437f54708f7fd1 Mon Sep 17 00:00:00 2001
-From: Toddr Bot <toddbot@rinaldo.us>
-Date: Mon, 16 Mar 2026 22:16:11 +0000
-Subject: [PATCH] fix: off-by-one heap buffer overflow in st_serial_stack
- growth check
-
-When st_serial_stackptr == st_serial_stacksize - 1, the old check
-(stackptr >= stacksize) would not trigger reallocation. The subsequent
-++stackptr then writes at index stacksize, one element past the
-allocated buffer.
-
-Fix by checking stackptr + 1 >= stacksize so the buffer is grown
-before the pre-increment write.
-
-Add a deep nesting test (600 levels) to exercise this code path.
-
-Fixes #39
-
-Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
----
- Expat/Expat.xs   |  2 +-
- t/deep_nesting.t | 22 ++++++++++++++++++++++
- 2 files changed, 23 insertions(+), 1 deletion(-)
- create mode 100644 t/deep_nesting.t
-
-diff --git a/Expat/Expat.xs b/Expat/Expat.xs
-index 5f9b193..0226a24 100644
---- a/Expat/Expat.xs
-+++ b/Expat/Expat.xs
-@@ -514,7 +514,7 @@ startElement(void *userData, const char *name, const char **atts)
-     }
-   }
- 
--  if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
-+  if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) {
-     unsigned int newsize = cbv->st_serial_stacksize + 512;
- 
-     Renew(cbv->st_serial_stack, newsize, unsigned int);
-diff --git a/t/deep_nesting.t b/t/deep_nesting.t
-new file mode 100644
-index 0000000..8237b5f
---- /dev/null
-+++ b/t/deep_nesting.t
-@@ -0,0 +1,22 @@
-+BEGIN { print "1..1\n"; }
-+
-+# Test for deeply nested elements to exercise st_serial_stack reallocation.
-+# This catches off-by-one errors in the stack growth check (GH #39).
-+
-+use XML::Parser;
-+
-+my $depth = 600;
-+
-+my $xml = '';
-+for my $i (1 .. $depth) {
-+    $xml .= "<e$i>";
-+}
-+for my $i (reverse 1 .. $depth) {
-+    $xml .= "</e$i>";
-+}
-+
-+my $p = XML::Parser->new;
-+eval { $p->parse($xml) };
-+
-+print "not " if $@;
-+print "ok 1\n";

SPECS/perl-XML-Parser.spec

@@ -1,48 +1,46 @@
 Name:           perl-XML-Parser
-Version:        2.44
+Version:        2.46
-Release:        12%{?dist}
+Release:        9%{?dist}
 Summary:        Perl module for parsing XML documents
 
-Group:          Development/Libraries
 License:        GPL+ or Artistic
-Url:            http://search.cpan.org/dist/XML-Parser/
+Url:            https://metacpan.org/release/XML-Parser
-Source0:        http://search.cpan.org/CPAN/authors/id/T/TO/TODDR/XML-Parser-%{version}.tar.gz
+Source0:        https://cpan.metacpan.org/authors/id/T/TO/TODDR/XML-Parser-%{version}.tar.gz
-# Fix a buffer overwrite in parse_stream() with wide characters on the standard
-# input, bug #1658512, CPAN RT#128006
-Patch0:         XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch
-# Fix buffer overflow in parse_stream when filehandle has :utf8
-# CVE-2006-10002
-Patch1:         XML-Parser-2.48-CVE-2006-10002.patch
-# Fix off-by-one heap buffer overflow in st_serial_stack growth check
-# CVE-2006-10003
-Patch2:         XML-Parser-2.48-CVE-2006-10003.patch
 
+# Build
+BuildRequires:  coreutils
+BuildRequires:  expat-devel
+BuildRequires:  findutils
+BuildRequires:  gcc
+BuildRequires:  glibc-common
 BuildRequires:  make
 BuildRequires:  perl-devel
 BuildRequires:  perl-generators
 BuildRequires:  perl-interpreter
-BuildRequires:  perl(Carp)
 BuildRequires:  perl(Config)
 BuildRequires:  perl(Devel::CheckLib)
-BuildRequires:  perl(DynaLoader)
+BuildRequires:  perl(English)
-BuildRequires:  perl(ExtUtils::MakeMaker)
+BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.76
+BuildRequires:  perl(lib)
+# Runtime
+BuildRequires:  perl(Carp)
 BuildRequires:  perl(FileHandle)
-BuildRequires:  perl(File::Temp)
+BuildRequires:  perl(File::Spec)
 BuildRequires:  perl(if)
 BuildRequires:  perl(IO::File)
 BuildRequires:  perl(IO::Handle)
-BuildRequires:  perl(lib)
+# LWPExternEnt.pl script is loaded by Parser.pm
+BuildRequires:  perl(LWP::UserAgent)
 BuildRequires:  perl(overload)
 BuildRequires:  perl(strict)
-BuildRequires:  perl(Test)
-BuildRequires:  perl(Test::More)
-BuildRequires:  perl(vars)
-BuildRequires:  perl(warnings)
-BuildRequires:  expat-devel
-# The script LWPExternEnt.pl is loaded by Parser.pm
-BuildRequires:  perl(LWP::UserAgent)
 BuildRequires:  perl(URI)
 BuildRequires:  perl(URI::file)
+BuildRequires:  perl(XSLoader)
+# Tests
+BuildRequires:  perl(if)
+BuildRequires:  perl(Test)
+BuildRequires:  perl(Test::More)
+BuildRequires:  perl(warnings)
 Requires:       perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
 Requires:       perl(IO::File)
 Requires:       perl(IO::Handle)
@@ -64,30 +62,26 @@ creation time.
 
 %prep
 %setup -q -n XML-Parser-%{version} 
-%patch -P0 -p1
-%patch -P1 -p1
-%patch -P2 -p1
 chmod 644 samples/{canonical,xml*}
-perl -pi -e 's|^#!/usr/local/bin/perl\b|#!%{__perl}|' samples/{canonical,xml*}
+perl -MConfig -pi -e 's|^#!/usr/local/bin/perl\b|$Config{startperl}|' samples/{canonical,xml*}
 
 # Remove bundled library
 rm -r inc
 perl -i -ne 'print $_ unless m{^inc/}' MANIFEST
 
 %build
-CFLAGS="$RPM_OPT_FLAGS" perl Makefile.PL INSTALLDIRS=vendor
+perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS"
-make %{?_smp_mflags} OPTIMIZE="$RPM_OPT_FLAGS"
+%{make_build}
 
 %install
-make pure_install DESTDIR=$RPM_BUILD_ROOT
+%{make_install}
-find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} ';'
+find $RPM_BUILD_ROOT -type f -name '*.bs' -a -size 0 -delete
-find $RPM_BUILD_ROOT -type f -name '*.bs' -a -size 0 -exec rm -f {} ';'
+%{_fixperms} $RPM_BUILD_ROOT/*
-chmod -R u+w $RPM_BUILD_ROOT/*
 
 for file in samples/REC-xml-19980210.xml; do
   iconv -f iso-8859-1 -t utf-8 < "$file" > "${file}_"
   mv -f "${file}_" "$file"
-  sed -i -e "s/encoding='ISO-8859-1'/encoding='UTF-8'/" "$file"
+  perl -i -pe "s/encoding='ISO-8859-1'/encoding='UTF-8'/" "$file"
 done
 
 %check
@@ -101,12 +95,55 @@ make test
 
 
 %changelog
-* Thu Mar 26 2026 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-12
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.46-9
-- Fix CVE-2006-10002, CVE-2006-10003
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Thu Dec 13 2018 Petr Pisar <ppisar@redhat.com> - 2.44-11
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.46-8
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 21 2020 Petr Pisar <ppisar@redhat.com> - 2.46-5
+- Modernize a spec file
+
+* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.46-4
+- Perl 5.32 rebuild
+
+* Tue Mar 10 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.46-3
+- Specify all dependencies
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Sep 24 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.46-1
+- 2.46 bump
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-16
+- Perl 5.30 rebuild
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Dec 13 2018 Petr Pisar <ppisar@redhat.com> - 2.44-14
 - Fix a buffer overwrite in parse_stream() with wide characters on the standard
-  input (bug #1658512)
+  input (bug #1473368)
+
+* Mon Jul 23 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-13
+- Specify all dependencies
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jun 29 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-11
+- Perl 5.28 rebuild
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild