1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109947: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u3

    From Guilhem Moulin@21:1/5 to All on Sun Jul 27 02:10:01 2025
    XPost: linux.debian.devel.release

    Package: release.debian.org
    Severity: normal
    Tags: bookworm moreinfo
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:libxml2
    User: [email protected]
    Usertags: pu

    [ Reason ]

    Fix <no-dsa> security issues CVE-2025-6021, CVE-2025-6170,
    CVE-2025-49794 and CVE-2025-49796.

    [ Impact ]

    User will remain vulnerable to the aforementioned issues. Upgrading
    users might regress as the issues are fixed in Bullseye LTS.

    [ Tests ]

    Manual bound checks, manual run of the upstream test suite and
    schematron tests.

    [ Risks ]

    Low risk: all patches come from upstream and the versions backported to upstream's 2.13 branch trivially applies to 2.9.14+dfsg-1.3~deb12u2.

    [ Checklist ]

    [x] *all* changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in stable
    [ ] the issue is verified as fixed in unstable

    [ Changes ]

    * Fix CVE-2025-6021: Integer overflow issue in xmlBuildQName.
    * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell.
    * Fix CVE-2025-49794: Use-after-free issue in xmlSchematronReportOutput.
    * Fix CVE-2025-49796: Type confusion issue in xmlSchematronReportOutput.

    [ Other info ]

    The fix for CVE-2025-6170 is not fixed in sid yet, tagging #-1 as
    moreinfo in the meantime. debdiff sent to maintainer, will NMU if no
    one objects to it. The other CVEs are fixed in sid already.

    --
    Guilhem.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmiFbB4ACgkQ05pJnDwh pVIm4xAAkNB9K0HkfyvohadJf1Xt3hj2aRXhi646TwrS61000MpLc46pRPaf9io9 1whXG/RgYiuB6rnIg2tB9DSZE4IH0nXzaEeviPBubBWdVZ8j/dPn8SLdQ2PCR1xh 5fgDEBacMAGUaD+L/XXPE3Zzm5KqEOHpIpg1vnWpdkJ1VeLzhJM3MLmvv5CwSaP/ mtvU8ibHbPJ61aq++sg4Mkbw4MSbbDicMnK1rNopgyM6s6nxGVtY5e15ukx9yazQ mMMo1Q+N7HgzfY/WCrSUQT+9RE7ZQXLipcC/gSKHgJVyHmdNDBl53oRoeqYY3QX9 nWw3dW+efD4FVaUphZKMHjih3GTZ4ozcUlnLGqupYOZ6sbqIKQnHKrN2wvPzcQKm r2ek3BEww3rviuKLkprhAVdHt6Pnp3FCNmoj1puKY8eV5Hts+7CnAN4Nw34h29+J uo3o/lLad5NUrEKYiyl0QkxKTzQTvsvRTwrPjs1XbtytLy3iYRGP24yRA9jXsKja a6SMsuis041B/Vw9vILYIk110aqI4C4uzjFPIz/RvUQ8w4yu8eOpnfcMJ7Y55D/E 5k7E/GgXnyBqzVs+KVOAaJnli+IBxVHKSH3njgikoY8dVdHfcQ/1QIWyKg1V6WG3 WT95hQWq02voLOQlBYY0sQu2gn/ijy5lhVG1MM4KYVaZvkffyFU=
    =vdEO
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Guilhem Moulin@21:1/5 to Guilhem Moulin on Sun Jul 27 02:20:01 2025
    XPost: linux.debian.devel.release

    --jQfgYbh9TQlNYzrt
    Content-Type: text/plain; charset=utf-8
    Content-Disposition: inline
    Content-Transfer-Encoding: quoted-printable

    On Sun, 27 Jul 2025 at 02:00:30 +0200, Guilhem Moulin wrote:
    [x] attach debdiff against the package in stable

    (Oops, here it comes)

    --
    Guilhem.

    --jQfgYbh9TQlNYzrt
    Content-Type: text/plain; charset=utf-8
    Content-Disposition: attachment;
    filename="libxml2_2.9.14+dfsg-1.3~deb12u3.debdiff" Content-Transfer-Encoding: quoted-printable

    diffstat for libxml2-2.9.14+dfsg libxml2-2.9.14+dfsg

    changelog | 14 ++
    patches/CVE-2025-49794_CVE-2025-49796.patch | 187 ++++++++++++++++++++++++++++
    patches/CVE-2025-6021.patch | 49 +++++++
    patches/CVE-2025-6170.patch | 100 ++++++++++++++
    patches/series | 3
    salsa-ci.yml | 8 +
    6 files changed, 361 insertions(+)

    diff -Nru libxml2-2.9.14+dfsg/debian/changelog libxml2-2.9.14+dfsg/debian/changelog
    --- libxml2-2.9.14+dfsg/debian/changelog 2025-06-06 10:50:13.000000000 +0200
    +++ libxml2-2.9.14+dfsg/debian/changelog 2025-07-27 01:15:48.000000000 +0200
    @@ -1,3 +1,17 @@
    +libxml2 (2.9.14+dfsg-1.3~deb12u3) bookworm; urgency=high
    +
    + * Non-maintainer
  • From Guilhem Moulin@21:1/5 to All on Mon Jul 28 11:30:02 2025
    XPost: linux.debian.devel.release

    Control: tag -1 - moreinfo

    [ Other info ]

    The fix for CVE-2025-6170 is not fixed in sid yet, tagging #-1 as
    moreinfo in the meantime. debdiff sent to maintainer, will NMU if no
    one objects to it. The other CVEs are fixed in sid already.

    NMU'ed a fix for CVE-2025-6170 with the maintainer's blessing, so hereby removing the moreinfo tag.

    --
    Guilhem.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmiHQgIACgkQ05pJnDwh pVJnkQ//UMX+6yXhxSjv5zDJWfmCJO/ss4pR2KEIoVp29bVSDDDOj4NulBnBwkPQ AvT8mlQoPs3g/lP+VCqrlHz6Z/3kTvno+bWqNAaqIP3Rhq0JwaEbTl9EUjcVwPXy xUZErkmflQPOm4+WsFykviMfCU3EPAjOKTxGK/gKrb3YOB+VUEZiOxI4rZxfOJaR Y0oggHs+CPe4CKaFi9HrlAlhfPqKLBd7Bxy+2Kju/QR+qAFSPziP/1lOIvEC7H6+ 9yO0Ttzu35n5ojixUX3YraRN1OCwQPFOofh8hdofw4sggsWppBsTYWvGBpOWfx6F 0brYwiLvvHbZiARe5eKNxzDYVCnIakIowKj5WkCxFWAhV8r5l/51q+UeFLhFQ/YA GsSlmnMp2HyRQDGfyjXY3So+pqicRZA6VTs82zL6e6QxvP6ScHRvOn4w5TwCFb2O Ovv7il/YbleR42ycaGnPoonL3cSGWj58svRdwQdtU8D+NFgtWDF7/o0ocHbq2JrT Xqwq2h/bPeY9K83qKgYYS0vLEC1Q6WVKFduIWm6wrDNXgt1Ne5asw4KAOfzvzsEm BbNyFwyq/YZYrL1pICKeXXCnfaRJAdODici7gXEvYcmI5Owkl+IvAtAYHcE9XrXa xTp9ZHj+Syxz/TdLpux2/kzSDzjl7fTBKhRl113YR6lbWYpc7i4=
    =IvqQ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jonathan Wiltshire@21:1/5 to All on Mon Jul 28 23:30:01 2025
    XPost: linux.debian.devel.release

    package release.debian.org
    tags 1109947 = bookworm pending
    thanks

    Hi,

    The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

    Thanks for your contribution!

    Upload details
    ==============

    Package: libxml2
    Version: 2.9.14+dfsg-1.3~deb12u3

    Explanation: fix integer overflow issue in xmlBuildQName [CVE-2025-6021]; fix potential buffer overflows in the interactive shell [CVE-2025-6170]; fix use-after-free issue in xmlSchematronReportOutput [CVE-2025-49794]; fix type confusion issue in
    xmlSchematronReportOutput [CVE-2025-49796]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)