Package: libxml-parser-perl Version: 2.34-4 Severity: grave A heap overflow in the Expat library wrapper can be triggered by XML input with deeply nested elements. This bug has also been reported to CPAN: http://rt.cpan.org/Ticket/Display.html?id=19860
The error is caused at libxml-parser-perl-2.34/Expat/Expat.xs, line 498: if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) { unsigned int newsize = cbv->st_serial_stacksize + 512; Renew(cbv->st_serial_stack, newsize, unsigned int); cbv->st_serial_stacksize = newsize; } cbv->st_serial_stack[++cbv->st_serial_stackptr] = cbv->st_serial; Note that in the case that stackptr == stacksize-1, this code decides to NOT expand the stack and subsequently writes a value just outside the allocated buffer. Because the buffer is overflowed by only 4 bytes, this does not cause a segmentation fault. But the overflow is detected by Valgrind when parsing an XML file with elements nested deeper than 512 levels. Since it involves an input-triggered heap overflow, this is technically a security vulnerability. Joris. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]