Originally Mark Martinec reported the following issue to be present in HTML-Parser: [1] http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c After preliminary analysis we concluded this results in: --------------------------------------------------------- A denial of service flaw was found in the way HTML-Parser used to decode certain HTML entities. A remote attacker could provide a specially-crafted string (containing HTML entities) leading to infinite loop, when processed by the parser. But further, more detailed analysis of the issue confirmed there is no additional, separated security issue (to CVE-2009-3626) present in HTML-Parser. While [1] is still bug, it only "helps" to expose the consequences of: http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973 http://perl5.git.perl.org/perl.git/commit/0abd0d78a73da1c4d13b1c700526b7e5d03b32d4 http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/ in more quicker way, and doesn't impersonate security issue in HTML-Parser itself.
This issue affects the versions of the perl-HTML-Parser package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of the perl-HTML-Parser package, as shipped with Fedora releases of 10 and 11, and as scheduled to appear in Fedora release of 12.
Red Hat does not believe this is a direct security issue. This flaw can only lead to a crash if perl-HTML-Parser is used in conjunction with perl 5.10.1, which is not used in any supported version of Red Hat Enterprise Linux. If used with any earlier version of perl, this flaw only leads to garbage output; there is no infinite loop that would cause a denial of service condition. The real issue here is CVE-2009-3626, which affects only perl 5.10.1.