#1132328 mxml: CVE-2026-5037

Package:
src:mxml
Source:
src:mxml
Submitter:
Salvatore Bonaccorso
Date:
2026-06-25 20:35:02 UTC
Severity:
normal
Tags:
#1132328#5
Date:
2026-03-30 15:16:12 UTC
From:
To:
Hi,

The following vulnerability was published for mxml.

CVE-2026-5037[0]:
| A vulnerability was determined in mxml up to 4.0.4. This issue
| affects the function index_sort of the file mxml-index.c of the
| component mxmlIndexNew. Executing a manipulation of the argument
| tempr can lead to stack-based buffer overflow. The attack is
| restricted to local execution. The exploit has been publicly
| disclosed and may be utilized. This patch is called
| 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied
| to remediate this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-5037
https://www.cve.org/CVERecord?id=CVE-2026-5037
[1] https://github.com/michaelrsweet/mxml/issues/350
[2] https://github.com/michaelrsweet/mxml/commit/6e27354466092a1ac65601e01ce6708710bb9fa5

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1132328#12
Date:
2026-03-31 08:34:33 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
mxml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1132328@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alastair McKinstry <mckinstry@debian.org> (supplier of updated mxml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 30 Mar 2026 19:57:18 +0100
Source: mxml
Architecture: source
Version: 4.0.4-4
Distribution: unstable
Urgency: medium
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Alastair McKinstry <mckinstry@debian.org>
Closes: 1132328
Changes:
 mxml (4.0.4-4) unstable; urgency=medium
 .
   * Backport fix for CVE-2026-5037. Closes: #1132328
Checksums-Sha1:
 52e7f3285c6f5a6a38fdfb1ec2ad529ef5c1e87b 1864 mxml_4.0.4-4.dsc
 daaa79507dccd7abdb5a52ccb48428553a02127e 12248 mxml_4.0.4-4.debian.tar.xz
Checksums-Sha256:
 2ae1c12e8ecad67e658696345dd7fc229c1c8ec2619a59e6b0c36fc612ff4847 1864 mxml_4.0.4-4.dsc
 5adff31f7f0db68572074abf3f45230fafca8f3208d8820f2e2338edc832cfb8 12248 mxml_4.0.4-4.debian.tar.xz
Files:
 8866c0f3fb0bb6aec3b84e8a854d4e25 1864 libs optional mxml_4.0.4-4.dsc
 9d9def1dd7233dcaf1f13b645520f569 12248 libs optional mxml_4.0.4-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgjg86RZbNHx4cIGiy+a7Tl2a06UFAmnLezwACgkQy+a7Tl2a
06VRwA/9Ew0y84UrsttpSBxzGx202wpwGhtBObMyGB62/JgMHHIzmSG3bRZ4bpgr
ssqdD6A0+hJPhSwjrxnC8cLg8J2Ifgkl1SOkE4g1LWpUCh6Bnx8dah3T+1HNezyQ
TKPef3+fVMfN78UObsMNGI9Tc2DA74Lsfu9eu6/OFTCanZ+qax81q5e0zQE2mdEF
HEFpvTh8hzFBU7jfoz21sjggwsWQEX0JpkJcha1g6IA9do0PS99YSUwjAJcfG+s7
u4nke1hIVPnQ5W+/UtOaaD5/IhfeyAXS/wWwTXKF9gfiy+ZtBs//6YpfGrnPIm62
DZTmbyDJtpq9PotDQ6w4aVS/pciaPI/fMfAElDpddUbJyJiNli3u7Ff5p2Ak0esh
lNwLtr7wd7yrRPWJZyCpFmRjbYCQ7QGEuQrfLVfpNnSzWe4d2bHpJ6JIKcsN7MU3
CjsRBzuK4nMVYevgJOh8CKizYu7HDkItmnsTANk5lEp6rrWZDeh/Du289ugsKXbu
1T/aqyHEXJsviy2Bd04IKbHsasD8zUXRDUM5WjrYnypthlha5g+gvKwGyCeOTHKK
PoQImuoZlwKML4Dpd2rpUGuH4ILdh2zBnXBMq/icTbGs4f/Sn/vBIIMuMnluDZeN
QjqPn8FxaZDBmTO5Eb2YSmqxuhQ8kDotu9hkHwxfy/hpdRvxU8s=
=B2BV
-----END PGP SIGNATURE-----
#1132328#21
Date:
2026-06-24 21:03:40 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
mxml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1132328@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated mxml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 19 Jun 2026 14:38:27 +0300
Source: mxml
Architecture: source
Version: 3.3.1-1+deb13u1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1132328
Changes:
 mxml (3.3.1-1+deb13u1~deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload.
   * Rebuild for bookworm.
 .
 mxml (3.3.1-1+deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2026-5037: Out-of-bounds read in index_sort() (Closes: #1132328)
Checksums-Sha1:
 85e3ba568799dfde6be8cd427a84f5ccc824faca 1940 mxml_3.3.1-1+deb13u1~deb12u1.dsc
 35a3b02dc4127363f4cbb897d5e43649e7ad58dc 12736 mxml_3.3.1-1+deb13u1~deb12u1.debian.tar.xz
Checksums-Sha256:
 97e0a8cc9120cca196c07d069387c596fbfac808915f4315349ab89e73e486ae 1940 mxml_3.3.1-1+deb13u1~deb12u1.dsc
 4982f97023d952b784b8f956b75ccb813e0f386fcbf7d3643d91d53e7929350b 12736 mxml_3.3.1-1+deb13u1~deb12u1.debian.tar.xz
Files:
 d43618dda7944bffd500253bb8985ae7 1940 libs optional mxml_3.3.1-1+deb13u1~deb12u1.dsc
 becab4ab5614a37910c2a85df17fc57a 12736 libs optional mxml_3.3.1-1+deb13u1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo1K1QACgkQiNJCh6LY
mLEepA/9GgsyqqcgajjQHgxFL9PoITXvEuSp9rFCL6/KVvZ+r4remPqgmGzVF/j7
rrjXAxETNjZQnOW/B3HV5qLDvqIoqy6i/q4dW2QzsFlYmhyfwpHhuq3geyKG9muv
5EEsB9EV9JaaSW9KsDcewLozr+QfnbBLecJAmshym91zK0Ek55TnVo97f5AUT/1L
jQ3mWRd31yo+tSkYIfgDPtDOK3ZENePjMUe+igvSd4WGSOD9jpK3VGFswqVGL6Ad
znzJsdiD7M01qigPA1s0F4Nppno23MvEuLRF/Oxh9vylgbtEbHWR36ItG2id+LJ6
Hz98jFj7OyqLJF0INiwCfstKe13YwgHjGcHoVFKAJq7aYqScl8eTCGqCTE5ItB/d
N7KVv50JZSaURgKlzAbxW8DTeMBfkOFFPhg2OSceuX6jHzeoSjAHQCbSz4ER27dB
mfF1JJ9E2CBEQcPQIoRV1yEvorhRECFFpa0R+KLQPIHS7s2ecctX3jNyj16tMO/U
RdjXseXvIMsDIFmMs3C5Uvdx2Keidm1bPqoICaaKUmavVGuwXEsfzaSLmvVfXSiF
UKf0FPtzbJ2G2lhBNcLtGi/2z4KIYTg/onuSE3ukgDqBbMT3BRT8GbL/Za135YG4
DGd/ZZ/v3QIrqEfebqiUQXj6QzrHtJIl4KoJnaqf3Jjaf6lw42Q=
=6TGZ
-----END PGP SIGNATURE-----
#1132328#26
Date:
2026-06-25 20:32:06 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
mxml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1132328@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated mxml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 19 Jun 2026 14:17:53 +0300
Source: mxml
Architecture: source
Version: 3.3.1-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1132328
Changes:
 mxml (3.3.1-1+deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2026-5037: Out-of-bounds read in index_sort() (Closes: #1132328)
Checksums-Sha1:
 aabeb47edafd4b6286673bb81d3bc1b6a977938f 1908 mxml_3.3.1-1+deb13u1.dsc
 e2acbfa4b4d8a241986907b4de528b0dcc6270fe 826200 mxml_3.3.1.orig.tar.xz
 87b072ff9a699190aa407df540451688e38a6d89 12724 mxml_3.3.1-1+deb13u1.debian.tar.xz
Checksums-Sha256:
 21fb15a198f4b91a082d5b8627b75232eaf11b50162411d6ad6eddb863fcb577 1908 mxml_3.3.1-1+deb13u1.dsc
 83413d4dea692c27f94064cc7d5c0d5662e0905de54b8f5506bf4820f71bbcc0 826200 mxml_3.3.1.orig.tar.xz
 339939a23cef52acc63b1931f1bb7eb0f61e7ea39860d6b0f5cb340dbcd9bf74 12724 mxml_3.3.1-1+deb13u1.debian.tar.xz
Files:
 c6f392e94376ede15a23343c63a7653a 1908 libs optional mxml_3.3.1-1+deb13u1.dsc
 c78b160b6365e5fc0e35def3359cde8f 826200 libs optional mxml_3.3.1.orig.tar.xz
 131de52d2f38ae3fcf368272200b9b50 12724 libs optional mxml_3.3.1-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo1KdcACgkQiNJCh6LY
mLGK0w//bgB5RDmX0VcWjiteBqIzVkRzQQUmzIJ5t+19DOK59GT/dwYv6WYRoGhd
k34rbcVZnT2lXvti8uyV/8k+P1yUW7VbaBmUCgkkjuVhGNCq7MUv0GGYS1z/HNo0
90a/a/YIY5ropsaCB1xdtqOUeoUtgIcazEobN5ELmn86dlFejm91qVOUScFKLVV0
gqVCDJ7nrWT/kzKdHSgtQJRjZwKCJy8j7CjMIPhtS43uQ6E/ntxCMVC4DMZfWUGy
klUTj0fAaghQul++LP3+JWwr04S52rhTlpnJJ5n6u6dMezIfLksYRrr0FSFk4N5x
t0euNIw66BUHz3eugUl62IqNh+XdyWJjP4c41UzTTVhgI769cHFCzg2TMRvNjY1i
vfTbUtXHGbtvc19JQ+TW4XyYIGdmBj/LdJtPoEPSouY+RbDC3uZmQD5Fr6NQ02Rq
4oykLqNDntfafJWnrzZ+RZt0dea9dCKU0MQ3jj7QUt7ZXKfkKg0+T2q+34lwZFtM
Wgl44dSWpimJaBEnLviIU8rkKEQ8xAI5n2AK2rJusOlBUw+EzfCST8145rwBfKMC
AeDxekP2UM+YAGEyElqccjQBFg2v7Trk4JdLk9ixO5/RoCoyVUGoVk69PFsT07a1
M9bvRZrpWvzHox+bDgILBbNOdSp3LTs+mKnfOP8vzQqVjFMM+PA=
=+0t+
-----END PGP SIGNATURE-----