Opened 3 weeks ago

Closed 7 days ago

#5892 closed enhancement (fixed)

XML-Parser-2.54

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 13.1
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (13)

comment:1 by Joe Locash, 3 weeks ago

Priority: normalhigh
Summary: XML-Parser-2.48_01XML-Parser-2.49

Now at 2.49.

2.48 fixed 2 CVE's:

  • GH #39 Fix off-by-one heap buffer overflow in st_serial_stack growth check (CVE-2006-10003)
  • GH #64 Fix buffer overflow in parse_stream when filehandle has :utf8 layer (CVE-2006-10002)

The repository is now https://github.com/cpan-authors/XML-Parser

comment:2 by Joe Locash, 3 weeks ago

Summary: XML-Parser-2.49XML-Parser-2.51

Now at 2.51.

comment:3 by Bruce Dubbs, 2 weeks ago

Summary: XML-Parser-2.51XML-Parser-2.52

Now version 2.52.

comment:4 by Bruce Dubbs, 13 days ago

Summary: XML-Parser-2.52XML-Parser-2.53

Now version 2.53.

comment:5 by Bruce Dubbs, 13 days ago

Fixed at commits 

f3d6527e8 Add a sed to glibc-2.43 (Security update).
7df48f36f Update to XML-Parser-2.53 (Security update).

Leaving both open for security updates.

comment:6 by Bruce Dubbs, 13 days ago

Owner: changed from lfs-book to Douglas R. Reno

Reassigning for security advisories.

comment:7 by Bruce Dubbs, 11 days ago

Summary: XML-Parser-2.53XML-Parser-2.54

Now version 2.54.

comment:8 by Bruce Dubbs, 11 days ago

2.54 2026-03-27 (by Todd Rinaldo)

Fixes:

  • Plug XS memory leaks on error paths in Expat.xs (externalEntityRef, parse_stream, ParserCreate)
  • Add defensive NULL checks in Expat.xs to prevent crashes on memory exhaustion and undefined behavior on short input lines
  • Add explicit package main after inline package declarations in test files to clarify scope

Improvements:

  • Add GitHub Actions workflow to auto-create GitHub Releases on tag push, enabling downstream notification via GitHub's release watch
  • Update AUTHORS POD in Parser.pm and Expat.pm to reflect full maintainer history
  • Add CI badge to POD via =for markdown directive so it survives README.md regeneration
  • Rename README to README.md and regenerate from POD

Maintenance:

  • Modernize 10 legacy test files from print-ok style to Test::More (cdata, finish, deep_nesting, xml_escape, partial, char_end_doc, current_length, combine_chars, utf8_stream, defaulted)

comment:9 by Bruce Dubbs, 10 days ago

Owner: changed from Douglas R. Reno to Bruce Dubbs

comment:10 by Bruce Dubbs, 10 days ago

Status: newassigned

comment:11 by Bruce Dubbs, 8 days ago

Fixed at commit 2c1f428b94 but leaving open for SA. 

XML-Parser-2.54
perl-5.42.2

comment:12 by Bruce Dubbs, 8 days ago

Owner: changed from Bruce Dubbs to Douglas R. Reno
Status: assignednew

comment:13 by Douglas R. Reno, 7 days ago

Resolution: fixed
Status: newclosed

SA-13.0-020 issued.

This advisory will need to be updated once XML-Parser and intltool have been moved to BLFS.

Note: See TracTickets for help on using tickets.