Package: libxml-parser-perl Version: 2.34-4 Severity: grave A heap overflow can be triggered in the Expat library wrapper when running on an input stream in non-raw mode. This bug has also been reported at CPAN: http://rt.cpan.org/Ticket/Display.html?id=19859
The following example program will crash with a segmentation fault on certain input: -- use strict; use encoding 'utf8'; use XML::Parser; my $parser = XML::Parser->new(); $parser->parse(\*STDIN); -- The following program generates example input on which the above program crashes: -- binmode(STDOUT, ':bytes'); print "<s>\n"; for (my $i = 0; $i < 40000; $i++) { print chr(0xc3) . chr(0xa9); } print "\n</s>\n"; -- The overflow occurs in libxml-parser-perl-2.34/Expat/Expat.xs, line 388: Copy(tb, buffer, br, char) At this point, the Expat wrapper assumes that the number of bytes copied (br), can not exceed the number of characters read from the input (buffsize). This assumption is incorrect if the input stream is in a non-raw mode. The best solution is to have the Perl programmer set the stream to raw mode, since libexpat expects raw bytes anyway. In the example program above, this could be accomplished either by removing the statement "use encoding 'utf8'" or by adding the statement "binmode(STDIN,':bytes')". I think, however, that a segmentation fault is not a good way to inform a Perl programmer that he made a mistake. So this buffer overflow must still be fixed. Since it involves an input-triggered heap overflow, this is technically a security vulnerability. Joris. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]