XPost: linux.debian.devel.release
From: guilhem@debian.org
--m2kLb3U0rPcvqgmI
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libxml2.9@packages.debian.org, security@debian.org
Control: affects -1 + src:libxml2.9
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fix issue CVE-2025-9714 and improve existing mitigation for
CVE-2025-7425.
[ Impact ]
Users will remain vulnerable to CVE-2025-9714, and will regress when
upgrading (a fix was uploaded to Bullseye LTS).
[ Tests ]
1/ PoC (from libxslt) at https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
and https://gitlab.gnome.org/GNOME/libxslt/-/issues/148 .
2/ Autopkgtests for reverse (build-)dependencies.
[ Risks ]
The upstream fix for CVE-2025-9714 trivially applies to
2.9.14+dfsg-1.3~deb12u4.
Backporting the mitigation for CVE-2025-7425 from
https://gitlab.gnome.org/-/project/1762/uploads/302ecfda701895eb
0fa438a66d1a7a4/gnome-libxslt-bug-140-apple-fix.diff
was more involved. Improvements over the existing
d/p/CVE-2025-7425.patch were discussed offlist with Aron Xu; a version
containing the resulting patch was uploaded to Bullseye LTS.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in oldstable
[*] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2025-9714: Denial of service vulnerability via uncontrolled
recursion in XPath evaluation.
* Amend d/p/CVE-2025-7425.patch to better reflect the original fix.
--
Guilhem.
--m2kLb3U0rPcvqgmI
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="libxml2.debdiff"
Content-Transfer-Encoding: quoted-printable
diffstat for libxml2-2.9.14+dfsg libxml2-2.9.14+dfsg
changelog | 9
patches/CVE-2025-7425.patch | 441 +++++++++++++++-------------
---------------
patches/CVE-2025-9714.patch | 113 +++++++++++
patches/series | 1
4 files changed, 277 insertions(+), 287 deletions(-)
diff -Nru libxml2-2.9.14+dfsg/debian/changelog libxml2-2.9.14+df
g/debian/changelog
--- libxml2-2.9.14+dfsg/debian/changelog 2025-08-25 13:30:10.000000000 +0200
+++ libxml2-2.9.14+dfsg/debian/changelog 2025-10-11 14:41:17.000000000 +0200
@@ -1,3 +1,12 @@
+libxml2 (2.9.14+dfsg-1.3~deb12u5) bookworm; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-9714: Denial of service vulnerability via uncontrolled
+ recursion in XPath evaluation.
+ * Amend d/p/CVE-2025-7425.patch to better reflect the original fix.
+
+ -- Guilhem Moulin Sat, 11 Oct 2025 14:41:17 +0200
+
libxml2 (2.9.14+dfsg-1.3~deb12u4) bookworm-security; urgency=high
* CVE-2025-7425: heap-use-after-free in xmlFreeID caused by `atype`
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-7425.patch
libxml2-2.9.14+dfsg/debian/patches/CVE-2025-7425.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-7425.patch 2025-08-25
13:29:44.000000000 +0200
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-7425.patch 2025-10-11
14:41:17.000000000 +0200
@@ -59,35 +59,42 @@
(xmlSchemaValAtomicType):
- Adopt macros by renaming the struct fields, recompiling and fixing
compiler failures, then changing the struct field names back.
+
+Origin: https://gitlab.gnome.org/-/project/1762/uploads/302ecfd
701895ebd0fa438a66d1a7a4/gnome-libxslt-bug-140-apple-fix.diff
+Bug: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2379274
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-
7425
+Bug-Debian: https://bugs.debian.org/1109122
---
- HTMLparser.c | 1 +
- SAX2.c | 6 ++--
- include/libxml/tree.h | 14 ++++++++-
- parser.c | 8 ++---
- runxmlconf.c | 4 +--
- tree.c | 20 ++++++-------
- valid.c | 68 +++++++++++++++++++++----------------------
- xmlreader.c | 30 +++++++++----------
- xmlschemas.c | 4 +--
- xmlschemastypes.c | 12 ++++----
- 10 files changed, 90 insertions(+), 77 deletions(-)
+ HTMLparser.c | 2 +-
+ SAX2.c | 6 +++---
+ include/libxml/tree.h | 14 +++++++++++++-
+ parser.c | 26 +++++++++++++-------------
+ runxmlconf.c | 4 ++--
+ tree.c | 20 ++++++++++----------
+ valid.c | 16 ++++++++--------
+ xmlreader.c | 30 +++++++++++++++---------------
+ xmlschemas.c | 4 ++--
+ xmlschemastypes.c | 12 ++++++------
+ 10 files changed, 73 insertions(+), 61 deletions(-)
-Index: libxml2-2.9.14+dfsg/HTMLparser.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/HTMLparser.c
-+++ libxml2-2.9.14+dfsg/HTMLparser.c
-@@ -2514,6 +2514,7 @@ htmlNewDocNoDtD(const xmlChar *URI, cons
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 4a56fb1..eabca3a 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -2514,7 +2514,7 @@ htmlNewDocNoDtD(const xmlChar *URI, const xmlChar
*ExternalID) {
cur->refs = NULL;
cur->_private = NULL;
cur->charset = XML_CHAR_ENCODING_UTF8;
+- cur->properties = XML_DOC_HTML | XML_DOC_USERBUILT;
+ XML_DOC_SET_PROPERTIES(cur, XML_DOC_HTML | XML_DOC_USERBUILT);
- cur->properties = XML_DOC_HTML | XML_DOC_USERBUILT;
if ((ExternalID != NULL) ||
(URI != NULL))
-Index: libxml2-2.9.14+dfsg/SAX2.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/SAX2.c
-+++ libxml2-2.9.14+dfsg/SAX2.c
+ xmlCreateIntSubset(cur, BAD_CAST "html", ExternalID, URI);
+diff --git a/SAX2.c b/SAX2.c
+index f7c77c2..0d8e84a 100644
+--- a/SAX2.c
++++ b/SAX2.c
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
