Bug#1139928: bookworm-pu: package libhtml-parser-perl/3.81-1+deb12u1

Salvatore Bonaccorso Sat, 13 Jun 2026 08:29:29 -0700

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], 
[email protected], [email protected], [email protected], 
[email protected]
Control: affects -1 + src:libhtml-parser-perl
User: [email protected]
Usertags: pu


Hi

[ Reason ]
libhtml-parser-perl is affected by CVE-2026-8829, which was fixed by
cherry-picking the fixing commit in unstable. Do the same for
bookworm.

[ Impact ]
Remains open to CVE-2026-8829 if not fixed. It is though no-dsa and
can be included in the last point release.

[ Tests ]
Testsuite from the package plus a debusine work request with extensive
testing of reverse dependencies as per:
(What automated or manual tests cover the affected code?)

[ Risks ]
Follows the change upstream and covered by testing as per above, so
should be low risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Fixed the heap uaf in the _decode_entities function and adds a
respective test.
(Explain *all* the changes)

[ Other info ]
None so far.

Regards,
Salvatore

diff -Nru libhtml-parser-perl-3.81/debian/changelog 
libhtml-parser-perl-3.81/debian/changelog
--- libhtml-parser-perl-3.81/debian/changelog   2023-02-04 21:20:16.000000000 
+0000
+++ libhtml-parser-perl-3.81/debian/changelog   2026-06-13 14:54:34.000000000 
+0000
@@ -1,3 +1,9 @@
+libhtml-parser-perl (3.81-1+deb12u1) bookworm; urgency=medium
+
+  * Fix heap-use-after-free in _decode_entities (CVE-2026-8829)
+
+ -- Salvatore Bonaccorso <[email protected]>  Sat, 13 Jun 2026 16:54:34 +0200
+
 libhtml-parser-perl (3.81-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
libhtml-parser-perl-3.81/debian/patches/Fix-heap-use-after-free-in-_decode_entities-CVE-2026.patch
 
libhtml-parser-perl-3.81/debian/patches/Fix-heap-use-after-free-in-_decode_entities-CVE-2026.patch
--- 
libhtml-parser-perl-3.81/debian/patches/Fix-heap-use-after-free-in-_decode_entities-CVE-2026.patch
  1970-01-01 00:00:00.000000000 +0000
+++ 
libhtml-parser-perl-3.81/debian/patches/Fix-heap-use-after-free-in-_decode_entities-CVE-2026.patch
  2026-06-13 14:54:34.000000000 +0000
@@ -0,0 +1,120 @@
+From: Paul Johnson <[email protected]>
+Date: Tue, 19 May 2026 20:24:00 +0000
+Subject: Fix heap-use-after-free in _decode_entities (CVE-2026-8829)
+Origin: 
https://github.com/libwww-perl/HTML-Parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c
+Bug: https://github.com/libwww-perl/HTML-Parser/pull/56
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-8829
+
+When the input SV passed to _decode_entities is the same SV stored as a
+self-referential value in the entity hash, grow_gap() could realloc the
+SV's PV buffer, leaving repl pointing at freed memory. Copy the entity
+value into an owned buffer when the hash entry SV aliases the input SV.
+
+Co-Authored-By: Claude Opus 4.7 <[email protected]>
+---
+ t/entities.t | 20 ++++++++++++++++++--
+ util.c       | 28 +++++++++++++++++++++++++---
+ 2 files changed, 43 insertions(+), 5 deletions(-)
+
+--- a/t/entities.t
++++ b/t/entities.t
+@@ -2,8 +2,9 @@ use strict;
+ use warnings;
+ use utf8;
+ 
+-use HTML::Entities qw(decode_entities encode_entities 
encode_entities_numeric);
+-use Test::More tests => 20;
++use HTML::Entities
++    qw(_decode_entities decode_entities encode_entities 
encode_entities_numeric);
++use Test::More tests => 21;
+ 
+ my $x = "V&aring;re norske tegn b&oslash;r &#230res";
+ 
+@@ -77,6 +78,21 @@ is($x, $ent);
+     is($got, (values %hash)[0], "decode_entities() decodes a key properly");
+ }
+ 
++# CVE-2026-8829
++# _decode_entities heap-use-after-free when the input SV is the same SV as
++# a self-referential entity value. The payload must be large enough to
++# force grow_gap() to realloc the SV's PV; the fix copies the entity value
++# into an owned buffer so repl is not left pointing at the freed allocation.
++{
++    my $prefix_a = "A" x 32;
++    my $suffix_b = "B" x 8192;
++    my %h;
++    $h{foo} = $prefix_a . "&foo;" . $suffix_b;
++    _decode_entities($h{foo}, \%h);
++    is($h{foo}, ("A" x 64) . "&foo;" . ("B" x 16384),
++        "_decode_entities() with self-aliased entity hash value");
++}
++
+ # From: Bill Simpson-Young <[email protected]>
+ # Subject: HTML entities problem with 5.11
+ # To: [email protected]
+--- a/util.c
++++ b/util.c
+@@ -72,6 +72,7 @@ decode_entities(pTHX_ SV* sv, HV* entity
+ 
+     char *repl;
+     STRLEN repl_len;
++    char *repl_allocated = 0;
+     char buf[UTF8_MAXLEN];
+     int repl_utf8;
+     int high_surrogate = 0;
+@@ -89,6 +90,7 @@ decode_entities(pTHX_ SV* sv, HV* entity
+ 
+       ent_start = s;
+       repl = 0;
++      repl_allocated = 0;
+ 
+       if (s < end && *s == '#') {
+           UV num = 0;
+@@ -176,16 +178,34 @@ decode_entities(pTHX_ SV* sv, HV* entity
+                   (*s == ';' && (svp = hv_fetch(entity2char, ent_name, s - 
ent_name + 1, 0)))
+                  )
+               {
+-                  repl = SvPV(*svp, repl_len);
++                  char *src = SvPV(*svp, repl_len);
+                   repl_utf8 = SvUTF8(*svp);
++                  if ((SV*)*svp == sv) {
++                      /* Self-aliased: hash entry SV == input SV.
++                       * grow_gap() may realloc sv's PV later; copy
++                       * the entity value into an owned buffer first.
++                       * Freed by the repl_allocated cleanup below. */
++                      Newx(repl_allocated, repl_len ? repl_len : 1, char);
++                      Copy(src, repl_allocated, repl_len, char);
++                      repl = repl_allocated;
++                  } else {
++                      repl = src;
++                  }
+               }
+               else if (expand_prefix) {
+                   char *ss = s - 1;
+                   while (ss > ent_name) {
+                       svp = hv_fetch(entity2char, ent_name, ss - ent_name, 0);
+                       if (svp) {
+-                          repl = SvPV(*svp, repl_len);
++                          char *src = SvPV(*svp, repl_len);
+                           repl_utf8 = SvUTF8(*svp);
++                          if ((SV*)*svp == sv) {
++                              Newx(repl_allocated, repl_len ? repl_len : 1, 
char);
++                              Copy(src, repl_allocated, repl_len, char);
++                              repl = repl_allocated;
++                          } else {
++                              repl = src;
++                          }
+                           s = ss;
+                           break;
+                       }
+@@ -197,7 +217,9 @@ decode_entities(pTHX_ SV* sv, HV* entity
+       }
+ 
+       if (repl) {
+-          char *repl_allocated = 0;
++          /* repl_allocated is now function-scoped; set by the
++           * named-entity self-alias path above or by the UTF8 mismatch
++           * branch below. Same cleanup in either case. */
+           if (s < end && *s == ';')
+               s++;
+           t--;  /* '&' already copied, undo it */
diff -Nru libhtml-parser-perl-3.81/debian/patches/series 
libhtml-parser-perl-3.81/debian/patches/series
--- libhtml-parser-perl-3.81/debian/patches/series      2023-02-04 
21:20:16.000000000 +0000
+++ libhtml-parser-perl-3.81/debian/patches/series      2026-06-13 
14:54:34.000000000 +0000
@@ -1 +1,2 @@
 debian_examples_location.patch
+Fix-heap-use-after-free-in-_decode_entities-CVE-2026.patch

Bug#1139928: bookworm-pu: package libhtml-parser-perl/3.81-1+deb12u1

Reply via email to