The _clone function does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function.

• https://metacpan.org/changes/distribution/XML-LibXML

Use-after-free in the XML-LibXML module through 2.0129 for Perl allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call.

• https://www.debian.org/security/2017/dsa-4042
• https://rt.cpan.org/Public/Bug/Display.html?id=122246
• https://lists.debian.org/debian-lts-announce/2017/11/msg00017.html

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.

• https://github.com/cpan-authors/XML-LibXML/issues/146
• https://github.com/cpan-authors/XML-LibXML/pull/149
• https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch