Version in base suite: 2.47-1

Base version: libxml-parser-perl_2.47-1
Target version: libxml-parser-perl_2.47-2~deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libxml-parser-perl/libxml-parser-perl_2.47-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libxml-parser-perl/libxml-parser-perl_2.47-2~deb13u1.dsc

 changelog                                                          |   17 +
 patches/Fix-buffer-overflow-in-parse_stream-when-filehandle-.patch |  108 ++++++++++
 patches/fix-off-by-one-heap-buffer-overflow-in-st_serial_sta.patch |   72 ++++++
 patches/series                                                     |    2 
 4 files changed, 199 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpg7igx78o/libxml-parser-perl_2.47-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpg7igx78o/libxml-parser-perl_2.47-2~deb13u1.dsc: no acceptable signature found
diff -Nru libxml-parser-perl-2.47/debian/changelog libxml-parser-perl-2.47/debian/changelog
--- libxml-parser-perl-2.47/debian/changelog	2024-01-01 22:23:27.000000000 +0000
+++ libxml-parser-perl-2.47/debian/changelog	2026-03-21 21:00:43.000000000 +0000
@@ -1,3 +1,20 @@
+libxml-parser-perl (2.47-2~deb13u1) trixie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Rebuild for trixie-security
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 21 Mar 2026 22:00:43 +0100
+
+libxml-parser-perl (2.47-2) unstable; urgency=medium
+
+  * Team upload.
+  * Fix buffer overflow in parse_stream when filehandle has :utf8 layer.
+    This improves the fix for CVE-2006-10002.
+  * fix: off-by-one heap buffer overflow in st_serial_stack growth check
+    (CVE-2006-10003) (Closes: #378412)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 21 Mar 2026 07:34:12 +0100
+
 libxml-parser-perl (2.47-1) unstable; urgency=medium
 
   * Import upstream version 2.47.
diff -Nru libxml-parser-perl-2.47/debian/patches/Fix-buffer-overflow-in-parse_stream-when-filehandle-.patch libxml-parser-perl-2.47/debian/patches/Fix-buffer-overflow-in-parse_stream-when-filehandle-.patch
--- libxml-parser-perl-2.47/debian/patches/Fix-buffer-overflow-in-parse_stream-when-filehandle-.patch	1970-01-01 00:00:00.000000000 +0000
+++ libxml-parser-perl-2.47/debian/patches/Fix-buffer-overflow-in-parse_stream-when-filehandle-.patch	2026-03-21 21:00:43.000000000 +0000
@@ -0,0 +1,108 @@
+From: Toddr Bot <toddbot@rinaldo.us>
+Date: Mon, 16 Mar 2026 20:55:31 +0000
+Subject: Fix buffer overflow in parse_stream when filehandle has :utf8 layer
+Origin: https://github.com/cpan-authors/XML-Parser/commit/5361c2b7f48599718cdecbe50c5fdd88b28ffd79
+
+When a filehandle has a :utf8 PerlIO layer, Perl's read() returns
+decoded characters, but SvPV() gives back the UTF-8 byte
+representation which can be larger than the pre-allocated XML buffer.
+Previously this caused heap corruption (double free / buffer overflow),
+and a later workaround (BUFSIZE * 6 + croak) prevented the corruption
+but still crashed.
+
+Fix by re-obtaining the expat buffer at the actual byte size when the
+read produces more bytes than initially allocated. This handles UTF-8
+streams gracefully without wasting memory on an oversized buffer.
+
+Fixes https://github.com/cpan-authors/XML-Parser/issues/64
+(migrated from rt.cpan.org #19859)
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+---
+ Expat/Expat.xs  | 15 +++++++++++----
+ t/utf8_stream.t | 40 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 51 insertions(+), 4 deletions(-)
+ create mode 100644 t/utf8_stream.t
+
+diff --git a/Expat/Expat.xs b/Expat/Expat.xs
+index 32fdce57ae4b..3cd1154886e7 100644
+--- a/Expat/Expat.xs
++++ b/Expat/Expat.xs
+@@ -343,8 +343,8 @@ parse_stream(XML_Parser parser, SV * ioref)
+   }
+   else {
+     tbuff = newSV(0);
+-    tsiz = newSViv(BUFSIZE); /* in UTF-8 characters */
+-    buffsize = BUFSIZE * 6; /* in bytes that encode an UTF-8 string */
++    tsiz = newSViv(BUFSIZE);
++    buffsize = BUFSIZE;
+   }
+ 
+   while (! done)
+@@ -387,8 +387,15 @@ parse_stream(XML_Parser parser, SV * ioref)
+ 
+ 	tb = SvPV(tbuff, br);
+ 	if (br > 0) {
+-	  if (br > buffsize)
+-	    croak("The input buffer is not large enough for read UTF-8 decoded string");
++	  if (br > buffsize) {
++	    /* The byte count from SvPV can exceed buffsize when the
++	       filehandle has a :utf8 layer, since Perl reads buffsize
++	       characters but multi-byte UTF-8 chars produce more bytes.
++	       Re-obtain the buffer at the required size. */
++	    buffer = XML_GetBuffer(parser, br);
++	    if (! buffer)
++	      croak("Ran out of memory for input buffer");
++	  }
+ 	  Copy(tb, buffer, br, char);
+ 	} else
+ 	  done = 1;
+diff --git a/t/utf8_stream.t b/t/utf8_stream.t
+new file mode 100644
+index 000000000000..a7e55f78d78c
+--- /dev/null
++++ b/t/utf8_stream.t
+@@ -0,0 +1,40 @@
++BEGIN { print "1..2\n"; }
++END { print "not ok 1\n" unless $loaded; }
++use XML::Parser;
++$loaded = 1;
++print "ok 1\n";
++
++################################################################
++# Test parsing from a filehandle with :utf8 layer
++# Regression test for rt.cpan.org #19859 / GitHub issue #64
++# A UTF-8 stream caused buffer overflow because SvPV byte count
++# could exceed the pre-allocated XML_GetBuffer size.
++
++use File::Temp qw(tempfile);
++
++# Create a temp file with UTF-8 XML content containing multi-byte chars
++my ($fh, $tmpfile) = tempfile(UNLINK => 1);
++binmode($fh, ':raw');
++# Write raw UTF-8 bytes: XML with Chinese characters (3 bytes each in UTF-8)
++# U+4E16 U+754C (世界 = "world") repeated to create substantial multi-byte content
++my $body = "\xe4\xb8\x96\xe7\x95\x8c" x 20000;  # 120000 bytes / 40000 chars of 3-byte UTF-8
++print $fh qq(<?xml version="1.0" encoding="UTF-8"?>\n<doc>$body</doc>\n);
++close($fh);
++
++my $text = '';
++my $parser = XML::Parser->new(
++    Handlers => {
++        Char => sub { $text .= $_[1]; },
++    }
++);
++
++# Open with :utf8 layer - this is what triggers the bug
++open(my $in, '<:utf8', $tmpfile) or die "Cannot open $tmpfile: $!";
++eval { $parser->parse($in); };
++close($in);
++
++if ($@ eq '' && length($text) > 0) {
++    print "ok 2\n";
++} else {
++    print "not ok 2 # $@\n";
++}
+-- 
+2.53.0
+
diff -Nru libxml-parser-perl-2.47/debian/patches/fix-off-by-one-heap-buffer-overflow-in-st_serial_sta.patch libxml-parser-perl-2.47/debian/patches/fix-off-by-one-heap-buffer-overflow-in-st_serial_sta.patch
--- libxml-parser-perl-2.47/debian/patches/fix-off-by-one-heap-buffer-overflow-in-st_serial_sta.patch	1970-01-01 00:00:00.000000000 +0000
+++ libxml-parser-perl-2.47/debian/patches/fix-off-by-one-heap-buffer-overflow-in-st_serial_sta.patch	2026-03-21 21:00:43.000000000 +0000
@@ -0,0 +1,72 @@
+From: Toddr Bot <toddbot@rinaldo.us>
+Date: Mon, 16 Mar 2026 22:16:11 +0000
+Subject: fix: off-by-one heap buffer overflow in st_serial_stack growth check
+Origin: https://github.com/cpan-authors/XML-Parser/commit/08dd37c35ec5e64e26aacb8514437f54708f7fd1
+Bug: https://rt.cpan.org/Ticket/Display.html?id=19860
+Bug-Debian: https://bugs.debian.org/378412
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2006-10003
+Bug: https://github.com/cpan-authors/XML-Parser/issues/39
+
+When st_serial_stackptr == st_serial_stacksize - 1, the old check
+(stackptr >= stacksize) would not trigger reallocation. The subsequent
+++stackptr then writes at index stacksize, one element past the
+allocated buffer.
+
+Fix by checking stackptr + 1 >= stacksize so the buffer is grown
+before the pre-increment write.
+
+Add a deep nesting test (600 levels) to exercise this code path.
+
+Fixes #39
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+---
+ Expat/Expat.xs   |  2 +-
+ t/deep_nesting.t | 22 ++++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+ create mode 100644 t/deep_nesting.t
+
+diff --git a/Expat/Expat.xs b/Expat/Expat.xs
+index 5f9b19302cd9..0226a248275d 100644
+--- a/Expat/Expat.xs
++++ b/Expat/Expat.xs
+@@ -514,7 +514,7 @@ startElement(void *userData, const char *name, const char **atts)
+     }
+   }
+ 
+-  if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
++  if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) {
+     unsigned int newsize = cbv->st_serial_stacksize + 512;
+ 
+     Renew(cbv->st_serial_stack, newsize, unsigned int);
+diff --git a/t/deep_nesting.t b/t/deep_nesting.t
+new file mode 100644
+index 000000000000..8237b5f6dc3d
+--- /dev/null
++++ b/t/deep_nesting.t
+@@ -0,0 +1,22 @@
++BEGIN { print "1..1\n"; }
++
++# Test for deeply nested elements to exercise st_serial_stack reallocation.
++# This catches off-by-one errors in the stack growth check (GH #39).
++
++use XML::Parser;
++
++my $depth = 600;
++
++my $xml = '';
++for my $i (1 .. $depth) {
++    $xml .= "<e$i>";
++}
++for my $i (reverse 1 .. $depth) {
++    $xml .= "</e$i>";
++}
++
++my $p = XML::Parser->new;
++eval { $p->parse($xml) };
++
++print "not " if $@;
++print "ok 1\n";
+-- 
+2.53.0
+
diff -Nru libxml-parser-perl-2.47/debian/patches/series libxml-parser-perl-2.47/debian/patches/series
--- libxml-parser-perl-2.47/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libxml-parser-perl-2.47/debian/patches/series	2026-03-21 21:00:43.000000000 +0000
@@ -0,0 +1,2 @@
+Fix-buffer-overflow-in-parse_stream-when-filehandle-.patch
+fix-off-by-one-heap-buffer-overflow-in-st_serial_sta.patch