Bug 34378 - libxml2 new security issues CVE-2025-4979[4-6], CVE-2025-6021 and CVE-2025-6170, libxslt new security issues CVE-2025-742[45]
Summary: libxml2 new security issues CVE-2025-4979[4-6], CVE-2025-6021 and CVE-2025-61...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-06-18 16:02 CEST by Nicolas Salguero
Modified: 2025-11-09 08:53 CET (History)
4 users (show)

See Also:
Source RPM: libxml2-2.10.4-1.7.mga9.src.rpm, libxslt-1.1.38-1.1.mga9.src.rpm
CVE: CVE-2025-49794, CVE-2025-49795, CVE-2025-49796, CVE-2025-6021, CVE-2025-6170, CVE-2025-7424, CVE-2025-7425
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-18 16:02:16 CEST 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2025/06/16/6
Nicolas Salguero 2025-06-18 16:03:54 CEST

Source RPM: (none) => libxml2-2.13.8-1.mga10.src.rpm, libxml2-2.10.4-1.7.mga9.src.rpm
CVE: (none) => CVE-2025-49794, CVE-2025-49795, CVE-2025-49796, CVE-2025-6021, CVE-2025-6170
Whiteboard: (none) => MGA9TOO

Comment 1 Marja Van Waes 2025-06-18 21:21:34 CEST 
No registered maintainer, so assigning to all

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-07-18 15:21:58 CEST 
CVE-2025-742[45] were announced here:
https://www.openwall.com/lists/oss-security/2025/07/11/2

CVE: CVE-2025-49794, CVE-2025-49795, CVE-2025-49796, CVE-2025-6021, CVE-2025-6170 => CVE-2025-49794, CVE-2025-49795, CVE-2025-49796, CVE-2025-6021, CVE-2025-6170, CVE-2025-7424, CVE-2025-7425
Summary: libxml2 new security issues CVE-2025-4979[4-6], CVE-2025-6021 and CVE-2025-6170 => libxml2 new security issues CVE-2025-4979[4-6], CVE-2025-6021 and CVE-2025-6170, libxslt new security issues CVE-2025-742[45]
Source RPM: libxml2-2.13.8-1.mga10.src.rpm, libxml2-2.10.4-1.7.mga9.src.rpm => libxml2-2.13.8-2.mga10.src.rpm, libxml2-2.10.4-1.7.mga9.src.rpm, libxslt-1.1.43-3.mga10.src.rpm, libxslt-1.1.38-1.1.mga9.src.rpm

Comment 3 Nicolas Salguero 2025-11-07 15:06:24 CET 
Cauldron fixed those issues.

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: libxml2-2.13.8-2.mga10.src.rpm, libxml2-2.10.4-1.7.mga9.src.rpm, libxslt-1.1.43-3.mga10.src.rpm, libxslt-1.1.38-1.1.mga9.src.rpm => libxml2-2.10.4-1.7.mga9.src.rpm, libxslt-1.1.38-1.1.mga9.src.rpm

Comment 4 Nicolas Salguero 2025-11-07 15:59:04 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Heap use after free (UAF) leads to Denial of service (DoS). (CVE-2025-49794)

Null pointer dereference leads to Denial of service (DoS). (CVE-2025-49795)

Type confusion leads to Denial of service (DoS). (CVE-2025-49796)

Integer Overflow Leading to Buffer Overflow in xmlBuildQName(). (CVE-2025-6021)

Stack-based Buffer Overflow in xmllint Shell. (CVE-2025-6170)

Type confusion in xmlNode.psvi between stylesheet and source nodes. (CVE-2025-7424)

Heap-use-after-free in xmlFreeID caused by `atype` corruption. (CVE-2025-7425)

References:
https://www.openwall.com/lists/oss-security/2025/06/16/6
https://www.openwall.com/lists/oss-security/2025/07/11/2
========================

Updated packages in core/updates_testing:
========================
lib(64)xml2-devel-2.10.4-1.8.mga9
lib(64)xml2_2-2.10.4-1.8.mga9
libxml2-python3-2.10.4-1.8.mga9
libxml2-utils-2.10.4-1.8.mga9

lib(64)exslt0-1.1.38-1.2.mga9
lib(64)xslt-devel-1.1.38-1.2.mga9
lib(64)xslt1-1.1.38-1.2.mga9
python3-libxslt-1.1.38-1.2.mga9
xsltproc-1.1.38-1.2.mga9

from SRPMS:
libxml2-2.10.4-1.8.mga9.src.rpm
libxslt-1.1.38-1.2.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

katnatek 2025-11-08 03:04:04 CET

Keywords: (none) => advisory

Comment 5 Herman Viaene 2025-11-08 11:50:04 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34210 forlibxml2
$ python testxml.py
Tested OK
$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
$  xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Chromium works OK on newspaper site and youtube.
Ref bug 34113 for xlst
$ xsltproc cdcatalog.xsl cdcatalog.xml
<html><body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th style="text-align:left">Title</th>
<th style="text-align:left">Artist</th>
</tr>
<tr>
<td>Empire Burlesque</td>
<td>Bob Dylan</td>
</tr>
<tr>
<td>Hide your heart</td>
<td>Bonnie Tyler</td>
</tr>
<tr>
<td>Greatest Hits</td>
<td>Dolly Parton</td>
</tr>
<tr>
<td>Still got the blues</td>
<td>Gary Moore</td>
</tr>
<tr>
<td>Eros</td>
<td>Eros Ramazzotti</td>
</tr>
<tr>
<td>One night only</td>
<td>Bee Gees</td>
</tr>
<tr>
<td>Sylvias Mother</td>
<td>Dr.Hook</td>
</tr>
<tr>
<td>Maggie May</td>
<td>Rod Stewart</td>
</tr>
<tr>
<td>Romanza</td>
<td>Andrea Bocelli</td>
</tr>
<tr>
<td>When a man loves a woman</td>
<td>Percy Sledge</td>
</tr>
<tr>
<td>Black angel</td>
<td>Savage Rose</td>
</tr>
<tr>
<td>1999 Grammy Nominees</td>
<td>Many</td>
</tr>
<tr>
<td>For the good times</td>
<td>Kenny Rogers</td>
</tr>
<tr>
<td>Big Willie style</td>
<td>Will Smith</td>
</tr>
<tr>
<td>Tupelo Honey</td>
<td>Van Morrison</td>
</tr>
<tr>
<td>Soulsville</td>
<td>Jorn Hoel</td>
</tr>
<tr>
<td>The very best of</td>
<td>Cat Stevens</td>
</tr>
<tr>
<td>Stop</td>
<td>Sam Brown</td>
</tr>
<tr>
<td>Bridge of Spies</td>
<td>T`Pau</td>
</tr>
<tr>
<td>Private Dancer</td>
<td>Tina Turner</td>
</tr>
<tr>
<td>Midt om natten</td>
<td>Kim Larsen</td>
</tr>
<tr>
<td>Pavarotti Gala Concert</td>
<td>Luciano Pavarotti</td>
</tr>
<tr>
<td>The dock of the bay</td>
<td>Otis Redding</td>
</tr>
<tr>
<td>Picture book</td>
<td>Simply Red</td>
</tr>
<tr>
<td>Red</td>
<td>The Communards</td>
</tr>
<tr>
<td>Unchain my heart</td>
<td>Joe Cocker</td>
</tr>
</table>
</body></html>

$ 2to3 libxml_xslt_transform_example.py -w
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: No changes to libxml_xslt_transform_example.py
RefactoringTool: Files that need to be modified:
RefactoringTool: libxml_xslt_transform_example.py
This is not the same output as in bug 34113. Not sure what it means

$ python libxml_xslt_transform_example.py
<html><body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th style="text-align:left">Title</th>
<th style="text-align:left">Artist</th>
</tr>
<tr>
<td>Empire Burlesque</td>
<td>Bob Dylan</td>
etc ... same as above. Again not the same output as in bug 34113
Chrome tested above as all xml and xslt packages were installed in one go.
Can someone look into this? I would tend to give the OK, but unsure about the results of xslt.

CC: (none) => herman.viaene

Comment 6 katnatek 2025-11-08 19:36:03 CET 
(In reply to Herman Viaene from comment #5)
> $ 2to3 libxml_xslt_transform_example.py -w
> RefactoringTool: Skipping optional fixer: buffer
> RefactoringTool: Skipping optional fixer: idioms
> RefactoringTool: Skipping optional fixer: set_literal
> RefactoringTool: Skipping optional fixer: ws_comma
> RefactoringTool: No changes to libxml_xslt_transform_example.py
> RefactoringTool: Files that need to be modified:
> RefactoringTool: libxml_xslt_transform_example.py
> This is not the same output as in bug 34113. Not sure what it means
> 

Unless you remove the result of the past test is not necessary to run again 2to3
This converts python 2 syntax to python 3, but sometimes that is not enough, but is for the test script 


installing lib64xml2_2-2.10.4-1.8.mga9.x86_64.rpm libxml2-utils-2.10.4-1.8.mga9.x86_64.rpm lib64xslt1-1.1.38-1.2.mga9.x86_64.rpm lib64exslt0-1.1.38-1.2.mga9.x86_64.rpm xsltproc-1.1.38-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ####################################################################################################
      1/5: lib64xml2_2           ####################################################################################################
      2/5: lib64xslt1            ####################################################################################################
      3/5: lib64exslt0           ####################################################################################################
      4/5: xsltproc              ####################################################################################################
      5/5: libxml2-utils         ####################################################################################################
      1/5: removing libxml2-utils-2.10.4-1.7.mga9.x86_64
                                 ####################################################################################################
      2/5: removing xsltproc-1.1.38-1.1.mga9.x86_64
                                 ####################################################################################################
      3/5: removing lib64exslt0-1.1.38-1.1.mga9.x86_64
                                 ####################################################################################################
      4/5: removing lib64xslt1-1.1.38-1.1.mga9.x86_64
                                 ####################################################################################################
      5/5: removing lib64xml2_2-2.10.4-1.7.mga9.x86_64
                                 ####################################################################################################

I detect that also need update some 32b packages

installing libxml2_2-2.10.4-1.8.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     ####################################################################################################
      1/1: libxml2_2             ####################################################################################################
      1/1: removing libxml2_2-2.10.4-1.7.mga9.i586
                                 ####################################################################################################

LC_ALL=C urpmi python3-libxslt
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  libxml2-python3                2.10.4       1.8.mga9      x86_64  
  python3-libxslt                1.1.38       1.2.mga9      x86_64  
1.4MB of additional disk space will be used.
288KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


installing libxml2-python3-2.10.4-1.8.mga9.x86_64.rpm python3-libxslt-1.1.38-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ####################################################################################################
      1/2: libxml2-python3       ####################################################################################################
      2/2: python3-libxslt       ####################################################################################################

xsltproc cdcatalog.xsl cdcatalog.xml and
python libxml_xslt_transform_example.py

Produce the same output

<html><body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th style="text-align:left">Title</th>
<th style="text-align:left">Artist</th>
</tr>
<tr>
<td>Empire Burlesque</td>
<td>Bob Dylan</td>
</tr>
<tr>
<td>Hide your heart</td>
<td>Bonnie Tyler</td>
</tr>
<tr>
<td>Greatest Hits</td>
<td>Dolly Parton</td>
</tr>
<tr>
<td>Still got the blues</td>
<td>Gary Moore</td>
</tr>
<tr>
<td>Eros</td>
<td>Eros Ramazzotti</td>
</tr>
<tr>
<td>One night only</td>
<td>Bee Gees</td>
</tr>
<tr>
<td>Sylvias Mother</td>
<td>Dr.Hook</td>
</tr>
<tr>
<td>Maggie May</td>
<td>Rod Stewart</td>
</tr>
<tr>
<td>Romanza</td>
<td>Andrea Bocelli</td>
</tr>
<tr>
<td>When a man loves a woman</td>
<td>Percy Sledge</td>
</tr>
<tr>
<td>Black angel</td>
<td>Savage Rose</td>
</tr>
<tr>
<td>1999 Grammy Nominees</td>
<td>Many</td>
</tr>
<tr>
<td>For the good times</td>
<td>Kenny Rogers</td>
</tr>
<tr>
<td>Big Willie style</td>
<td>Will Smith</td>
</tr>
<tr>
<td>Tupelo Honey</td>
<td>Van Morrison</td>
</tr>
<tr>
<td>Soulsville</td>
<td>Jorn Hoel</td>
</tr>
<tr>
<td>The very best of</td>
<td>Cat Stevens</td>
</tr>
<tr>
<td>Stop</td>
<td>Sam Brown</td>
</tr>
<tr>
<td>Bridge of Spies</td>
<td>T`Pau</td>
</tr>
<tr>
<td>Private Dancer</td>
<td>Tina Turner</td>
</tr>
<tr>
<td>Midt om natten</td>
<td>Kim Larsen</td>
</tr>
<tr>
<td>Pavarotti Gala Concert</td>
<td>Luciano Pavarotti</td>
</tr>
<tr>
<td>The dock of the bay</td>
<td>Otis Redding</td>
</tr>
<tr>
<td>Picture book</td>
<td>Simply Red</td>
</tr>
<tr>
<td>Red</td>
<td>The Communards</td>
</tr>
<tr>
<td>Unchain my heart</td>
<td>Joe Cocker</td>
</tr>
</table>
</body></html>

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2025-11-09 01:41:57 CET 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2025-11-09 08:53:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0269.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.