Bug 35238 - perl-XML-Parser new security issues CVE-2006-1000[23]
Summary: perl-XML-Parser new security issues CVE-2006-1000[23]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-03-20 08:59 CET by Nicolas Salguero
Modified: 2026-03-24 18:54 CET (History)
4 users (show)

See Also:
Source RPM: perl-XML-Parser-2.460.0-6.mga9.src.rpm
CVE: CVE-2006-10002, CVE-2006-10003
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2026-03-20 09:00:01 CET

Status comment: (none) => Patches available from upstream
CVE: (none) => CVE-2006-10002, CVE-2006-10003
Source RPM: (none) => perl-XML-Parser-2.470.0-4.mga10.src.rpm, perl-XML-Parser-2.460.0-6.mga9.src.rpm
Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2026-03-20 09:18:07 CET 
For Cauldron, perl-XML-Parser-2.470.0-5.mga10 fixes the issues.


Suggested advisory:
========================

The updated package fixes security vulnerabilities:

XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes. (CVE-2006-10002)

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. (CVE-2006-10003)

References:
https://www.openwall.com/lists/oss-security/2026/03/19/1
https://www.openwall.com/lists/oss-security/2026/03/19/2
========================

Updated package in core/updates_testing:
========================
perl-XML-Parser-2.460.0-6.1.mga9

from SRPM:
perl-XML-Parser-2.460.0-6.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: Patches available from upstream => (none)
Assignee: bugsquad => qa-bugs
Source RPM: perl-XML-Parser-2.470.0-4.mga10.src.rpm, perl-XML-Parser-2.460.0-6.mga9.src.rpm => perl-XML-Parser-2.460.0-6.mga9.src.rpm
Flags: affects_mga9+ => (none)

Comment 2 Herman Viaene 2026-03-20 17:18:24 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
No previous updates or wiki, so looked for packages depending on it, and picked gcstar.
Run it under trace, fool around in its dialogues and found in the trace:
newfstatat(AT_FDCWD, "/usr/lib64/perl5/vendor_perl/XML/Parser.pm", {st_mode=S_IFREG|0444, st_size=27721, ...}, 0) = 0
As gcstar seemed to work well, let this update go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

katnatek 2026-03-20 19:22:52 CET

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2026-03-22 21:52:51 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Dan Fandrich 2026-03-24 18:10:27 CET 
I was sure those CVEs were wrong and should have been "CVE-2026-..." but no, they're 20 year old bugs.

CC: (none) => dan

Comment 5 Mageia Robot 2026-03-24 18:54:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0063.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.