- Package:
- src:libxml-libxml-perl
- Source:
- src:libxml-libxml-perl
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-27 15:05:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for libxml-libxml-perl. CVE-2026-8177[0]: | XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap | memory when parsing XML node names containing truncated UTF-8 byte | sequences. A node name ending in the middle of a multi byte UTF-8 | sequence causes the parser to read past the end of the input string | into adjacent heap memory. Any Perl process that passes attacker | controlled strings to XML::LibXML's DOM node-name methods can reach | this path on the default API. The likely consequence is a crash, | causing denial of service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-8177 https://www.cve.org/CVERecord?id=CVE-2026-8177 [1] https://github.com/cpan-authors/XML-LibXML/issues/146 [2] https://lists.security.metacpan.org/cve-announce/msg/39920366/ [3] https://github.com/cpan-authors/XML-LibXML/pull/149 Regards, Salvatore
Hello, Bug #1136300 in libxml-libxml-perl reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/perl-team/modules/packages/libxml-libxml-perl/-/commit/a778e4aba92d0d86fbbdc0fe7051d8251344f9e9 ------------------------------------------------------------------------ fix: replace domParseChar with xmlValidateName to prevent OOB UTF-8 read (CVE-2026-8177) Closes: #1136300 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1136300
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136300@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 24 May 2026 21:22:59 +0200
Source: libxml-libxml-perl
Architecture: source
Version: 2.0207+dfsg+really+2.0134-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1136300
Changes:
libxml-libxml-perl (2.0207+dfsg+really+2.0134-8) unstable; urgency=medium
.
* Team upload.
* fix: replace domParseChar with xmlValidateName to prevent OOB UTF-8 read
(CVE-2026-8177) (Closes: #1136300)
Checksums-Sha1:
fb04cdeb8d88d203e201cbbe8f05162d79cd44cf 2579 libxml-libxml-perl_2.0207+dfsg+really+2.0134-8.dsc
3b9686743977a64ba98705f2eec51bcdf6a4ef01 18780 libxml-libxml-perl_2.0207+dfsg+really+2.0134-8.debian.tar.xz
Checksums-Sha256:
62a57686989563eb8e0cd2a869354901aefb0b1699ae9c6179e2de8f2ec35bbe 2579 libxml-libxml-perl_2.0207+dfsg+really+2.0134-8.dsc
ae01161f82f1f7819c8b1a0e823d4c7888cc579241d0481d8ac2cbe4f5c1e5cf 18780 libxml-libxml-perl_2.0207+dfsg+really+2.0134-8.debian.tar.xz
Files:
b10e32c9455d823cce6c57a711573347 2579 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134-8.dsc
82e4e3b0934aac8f25249d7729cfc5b7 18780 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134-8.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoTzrJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Eaq4P/0NVFis7DtTXO6gpYexhlbVQVlnaGiTY
7HY5T0IJ5MBHQ8uXFWG/jyk+fFsSPEZVcHWxVXVmF9s2kXh58r03BQOEvfzy3ybC
3GBqc1bSriUw94mFqVjgoooxYKfaE8cmA6cVYUrv77KVwbvccGmP/5pFfjeS+hBR
AtQvECR9wdyw9O2Y/OTWoXY4LXrsvzuVP8+J1iPV5nSdGFaDFjKypJu4mQv/bbwQ
P9Q8GptsFrE5l5mizdzF0GUA8r6kdg5Yauk+D0BiU1vVDsWQ4pMTxcauomw209wt
tsMhbm6KgHdjPxBxBTizrXX5oFjy0m69CHH/hh/jB0v3Oo5dV8hmhZW8w8fXZIWM
w8ObvtCPofJuNyIHdV1iqs6/zI2fogoSU4bUzjVqiXR4EMKtgpp3GE099ToTKkeY
5R+x7uzM19lnLg0EBOeBlLRR/iERQ3jCTuWNBvxlyUZKkfAU9zCs1Ve5LTRO0FI4
39w9oDWHuHTshv1Vfta7DI5eJ8i/vu0u39wdUXb3IvUyN1ZZ1Qzp3COvJjxKT5wk
u7g/iQ4S2fbH3ltNl1TbL3vTi4BDWnVm2fKJGDY5yPyPCGaISs1bVxrxMCp8Ez29
xWTT41w1TeX2Gu1jYOULI9YLHELGQeDGehyyrLRkOJ8XxiMx5mPSa+Fauwr+F3Vx
gg4z7nvTgLHa
=tyxi
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136300@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 27 Jun 2026 11:54:31 +0200
Source: libxml-libxml-perl
Architecture: source
Version: 2.0207+dfsg+really+2.0134-5+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1136300
Changes:
libxml-libxml-perl (2.0207+dfsg+really+2.0134-5+deb13u1) trixie; urgency=medium
.
* Team upload.
* fix: replace domParseChar with xmlValidateName to prevent OOB UTF-8 read
(CVE-2026-8177) (Closes: #1136300)
Checksums-Sha1:
49ad6d40c30b718c2cf73b61b093cae8179139f4 2611 libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.dsc
d4290ae0b2eb2553c72ec271e02ce807162d614f 17756 libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.debian.tar.xz
Checksums-Sha256:
8073aa85e07dc5dbad11336b42a17212662fe2b839a39ed5ede3c67257d5b3ec 2611 libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.dsc
a372df2628183ef563975e366685caf2f2c52fe9c3344eb14e22ebfa5af31997 17756 libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.debian.tar.xz
Files:
b0b6848bb95ce7a7265c6dba8c060699 2611 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.dsc
9ac2bb236b16738a9ffd41480822a538 17756 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134-5+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmo/yRxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ElWQP/25b7GX8FcjDF+qjnQTWBiZ2FF4ULBU6
oJL0WSQNPRTGp+3RDORNz2yLiYDXpFzKppvga0h2vCM3ZwT7JTYu7bWmtJLhv2Mc
LwWKjX5Yz+6y1JY65CsRtRuQJbl809sECqluqJeg0H5+kjHE2QTNkDHaQXqMqc1j
ZDozMzSQp3WZ/AWpW5XT6sjqjIikzeGbFYqKMRvrlMMEx3qehttt5DbFD2BzGMnf
P8/G4fTPna1z40dUFtIfB/mVD9IeD6A/iRKL48N3OxXyxTfqJL5DX8lovcdWWNZA
XRB4cSW7unIdVemwBetreZPgsRQBwQsMTmJK1qrc5dRAoURk7Qsri1TZRmBT6BfF
V8Z1chfnlbTkPSn3N8+42fYiPnwYKUvVCRj3H7tusFaVXi9DgDQvWdE9RoYFG/B7
2GHI6VAuHCR3yGFdg/7f8sPhByYUpzjajQmJhPYTBcKlsfQtkGiEyoNtK0CEzkFP
g0fr5Gul8icIBRemCkb7lHXIuZgAzkmsKkvnETJX/eDLpi8qyEwoJgQ6FDM973B4
8tV2tIeQAZp1Of1gEtQGLPy1n6u/vZtjnlqik5YTYKhr9SfaQUSeBr4foI61O/+S
JK1pHCwZr1PTaOuTMhR6BejC2k1coj+7DRFlW8Kq9QziMYc+8gYMCBlDn0v6NgVy
NqH15FXF93sl
=Hcj2
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
libxml-libxml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136300@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml-libxml-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 27 Jun 2026 13:41:54 +0200
Source: libxml-libxml-perl
Architecture: source
Version: 2.0207+dfsg+really+2.0134-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1136300
Changes:
libxml-libxml-perl (2.0207+dfsg+really+2.0134-1+deb12u1) bookworm; urgency=medium
.
* Team upload.
* fix: replace domParseChar with xmlValidateName to prevent OOB UTF-8 read
(CVE-2026-8177) (Closes: #1136300)
Checksums-Sha1:
7743c043a4c29c3945f35c3b8b10d6e80d481eee 2614 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.dsc
73d0f88dbc8b902d9a8e281f9ccf4c2a0ab9c064 14904 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.debian.tar.xz
Checksums-Sha256:
fde1e788ee67195b9a57128c1545c31e9bff5b75bd7819ec2bcf056eabb77345 2614 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.dsc
4d70d0cacc92934be32ede6607b5a5a7c50d166269324e12c6bb26abe975692b 14904 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.debian.tar.xz
Files:
5fca34b45da8ae5df39496fe282a330e 2614 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.dsc
ab3aa5b24bd6cf8ad57cee65c8e5b3d6 14904 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmo/yeVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EXTkP/15312EnfxBJoIRmACbY0UVGrIpS7Lwl
QiBaFRtUyCusE553H2z5YUZRVgPfyfKu0mRmDSIsoIOaMHfAsb+WKHF8ckJ1JGn1
te2O9BidbKpwcRn5VlOt3UmfE6/DoS8fXWpNQ0cXjM3Tmfl3q3HMnF/kj1E4+leH
WPaLPu+rttEle/LXZQQBaSy+bbMEYHpU+S9OBANdV+CG7E5OakOunDjmFuQOshgB
am8iBdDdXsXiQgc0ejn/pvd5kX771CYakS9jx9Kn5xn7ut0tfUlqoOvuVwQJd7Ue
UC8rXKM9BbidnuXQfyp2OruGPJ99Rvanu0x2TSR9c9eL1NBtmOHJICvE3e9D3Xwd
hvx345cKh8oxXBSmzauWXQ52MaAEkhP7g0sgjslvsboBA8hklE/jFrCjY+fnoq5X
t+WMNUTSi6J9fVpNr/RgNqjPRMdbTkfDoroLiAjSLPQZZMqh7IOHuCK9yc0himlR
7dj1quLr8Mb5RBtQ2jLQdV7cnSv5L/Zvya/mUbegbeW/cUAVm6ED0x1sGwh26X3x
6YnE0yaFxswhP8o7UkaVonafgK3etZfwkD2/eQ9noPoZ6mbSa4Q9Fi0hM0zWSuCO
MN7GM+7/XwQ2REq6hFCRlU6cQhT0OJ1+E813tZBq2KMO2apwMMaxiRmqRkXB6Le7
Ns4GlCQZbKix
=ieRF
-----END PGP SIGNATURE-----