CVE-2006-10002

Summary

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes.

A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes.

Affected Software

VendorProductVersion RangeStatus
TODDRXML::Parser0 <= 2.45affected

Weaknesses

  • CWE-122: CWE-122 Heap-based Buffer Overflow
  • CWE-176: CWE-176 Improper Handling of Unicode Encoding

Workarounds

Apply the patch that has been publicly available since 2006-06-13.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

CVE Program Container

Additional References

References