Opened 6 weeks ago
Closed 5 weeks ago
#21106 closed enhancement (fixed)
libxml2-2.13.6
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version
Release notes
Security
[CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
[CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd
pattern: Fix compilation of explicit child axis
Regressions
xmllint: Support compressed input from stdin
uri: Fix handling of Windows drive letters
reader: Fix return value of xmlTextReaderReadString again
SAX2: Fix xmlSAX2ResolveEntity if systemId is NULL
Portability
dict: Handle ENOSYS from getentropy gracefully
Fix compilation with uclibc (Dario Binacchi)
python: Declare init func with PyMODINIT_FUNC
tests: Fix sanitizer version check on old Apple clang
cmake: Work around broken sys/random.h in old macOS SDKs
Build
autotools: Set AC_CONFIG_AUX_DIR
cmake: Always build Python module as shared library
cmake: add missing Bcrypt link on Windows (Saleem Abdulrasool)
cmake: Fix compatibility in package version file
Change History (10)
comment:1 by , 6 weeks ago
comment:3 by , 6 weeks ago
I'm not really sure if we can implement a patch like that during freeze unfortunately, just due to the sheer amount of packages that use libxml2.
comment:4 by , 6 weeks ago
MITRE has rated it as 7.8/10 though, with Red Hat marking it as "Important" which is quite rare.
comment:5 by , 6 weeks ago
The patches won't affect the headers and the exported symbols of the libraries, thus we don't need to rebuild everything. We can just do some smoke tests to show the downstream packages still work.
comment:6 by , 5 weeks ago
CVE-2024-56171 has been updated to 7.8/10 and has now been confirmed to be used for remote code execution when processing XML documents.
"pattern: Fix compilation of explicit child axis" has been assigned CVE-2025-27113 and is now known to affect the XML::LibXML perl module and the xmllint utility, though that thankfully just allows for a crash.
comment:7 by , 5 weeks ago
| Milestone: | 12.4 → 12.3 |
|---|
Promote the security fixes for 12.3 following the decision to make another tagging round.
comment:8 by , 5 weeks ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:9 by , 5 weeks ago
Fixed at 40da065e3e8690d0491ca60ed9ebb64a3183fcb4
Security advisory incoming shortly
CVE-2025-24928's impact can be quite significant in some cases. From the upstream bug report:
"xmlSnprintfElements is only used to report DTD validation errors. But if such an error occurs, the bug allows to overwrite roughly 5,000 bytes of stack memory with an UTF-8 encoded XML NCName chosen by the attacker."