CVE-2021-42859: A memory leak issue was discovered in Mini-XML v3.2 that could cause a denial of service. CVE-2021-42860: A stack buffer overflow exists in Mini-XML v3.2. When inputting an unformed XML string to the mxmlLoadString API, it will cause a stack-buffer-overflow in mxml_string_getc:2611. "Fixed in master", but unsure about where the actual fix is.
Based on the Github issue, it should be fixed in 3.3. I was also not able to reproduce with current version 3.3 in tree.
Thanks!
I guess, we can close here and release _no_ GLSA. Seeing https://github.com/michaelrsweet/mxml/issues/286, the CVE was rejected by upstream. https://www.cve.org/CVERecord?id=CVE-2021-42859 also lists as disputed.