Re: [oe-core][PATCH] libxml-parser-perl: patch CVE-2006-10003

[Paul Barker <paul@pbarker.dev>]

[-- Attachment #1: Type: text/plain, Size: 1078 bytes --]

On Wed, 2026-04-15 at 06:51 +0000, haiqing.bai via
lists.openembedded.org wrote:
> From: Haiqing Bai <haiqing.bai@windriver.com>
> 
> XML::Parser versions through 2.47 for Perl has an off-by-one
> heap buffer overflow in st_serial_stack. In the case
> (stackptr == stacksize - 1), the stack will NOT be expanded.
> Then the new value will be written at location (++stackptr),
> which equals stacksize and therefore falls just outside the
> allocated buffer. The bug can be observed when parsing an
> XML file with very deep element nesting.
> 
> References:
>     https://nvd.nist.gov/vuln/detail/CVE-2006-10003
> 
> Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com>

We had some questions about this on the patch review call, given the
CVE was assigned with a year of 2006! I was also a little confused
reading about a fix already being present in XML::Parser v2.45, but that
is for CVE-2006-10002 whereas this is CVE-2006-10003 (one digit higher).

So, all seems to be in order and we should take this patch.

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]