Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use-after-free in xmlSchemaIDCFillNodeTables. (CVE-2024-56171)

Stack-buffer-overflow in xmlSnprintfElements. (CVE-2025-24928)

Null-deref in xmlPatMatch. (CVE-2025-27113)

References:
https://openwall.com/lists/oss-security/2025/02/18/2
========================

Updated packages in core/updates_testing:
========================
lib(64)xml2_2-2.10.4-1.6.mga9
lib(64)xml2-devel-2.10.4-1.6.mga9
libxml2-python3-2.10.4-1.6.mga9
libxml2-utils-2.10.4-1.6.mga9

from SRPM:
libxml2-2.10.4-1.6.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Source RPM: libxml2-2.12.9-2.mga10.src.rpm, libxml2-2.10.4-1.5.mga9.src.rpm => libxml2-2.10.4-1.5.mga9.src.rpm
Status comment: Fixed upstream in 2.12.10 => (none)
Status: NEW => ASSIGNED

xmllint --noout --schema ./bug322411_1.xsd ./CVE-2024-56171-poc.xml
warning: failed to load external entity "./bug322411_1.xsd"
Schemas parser error : Failed to locate the main schema resource at './bug322411_1.xsd'.
WXS schema ./bug322411_1.xsd failed to compile
warning: failed to load external entity "./CVE-2024-56171-poc.xml"
[katnatek@jgrey qa-testing]$ printf '<info>abc</info>' | xmllint --walker --pattern '/child::info/.' -
Violación de segmento (`core' generado)

installing lib64xml2_2-2.10.4-1.6.mga9.x86_64.rpm libxml2-utils-2.10.4-1.6.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64xml2_2           ##################################################################################################
      2/2: libxml2-utils         ##################################################################################################
      1/2: removing libxml2-utils-2.10.4-1.5.mga9.x86_64
                                 ##################################################################################################

      2/2: removing lib64xml2_2-2.10.4-1.5.mga9.x86_64
                                 ##################################################################################################

xmllint --noout --schema ./bug322411_1.xsd ./CVE-2024-56171-poc.xml
warning: failed to load external entity "./bug322411_1.xsd"
Schemas parser error : Failed to locate the main schema resource at './bug322411_1.xsd'.
WXS schema ./bug322411_1.xsd failed to compile

printf '<info>abc</info>' | xmllint --walker --pattern '/child::info/.' -
xmlPatternMatch and xmlStreamPush disagree
  pattern /child::info/. node /info

Reference bug#33975 comment#3

Have to install libxml2-python3 in internet you find the name of this is in reverse order :P

python testxml.py
Tested OK

xmllint --auto
<?xml version="1.0"?>
<info>abc</info>

xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Run strace chromium-browser show
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3


I could not reproduce CVE-2024-56171 , not understand how to reproduce CVE-2025-24928, but CVE-2025-27113 looks fixed

MGA9-64 Plasma Wayland on Compaq H000SB.
N installation issues.
Ref bug 33975, did same tests as above, wwit exactly same reults. Also chromium works OK. Lets go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0073.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED