949914 – (CVE-2024-56171, CVE-2025-24928) <dev-libs/libxml2-{2.12.10, 2.13.6}: Multiple vulnerabilities

Bug 949914 (CVE-2024-56171, CVE-2025-24928) - <dev-libs/libxml2-{2.12.10, 2.13.6}: Multiple vulnerabilities

Summary: <dev-libs/libxml2-{2.12.10, 2.13.6}: Multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2024-56171, CVE-2025-24928

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B3 [glsa? cleanup]
Keywords:

Depends on:	951454
Blocks:
	Show dependency tree

Reported:	2025-02-18 16:24 UTC by Sam James
Modified:	2025-03-19 02:03 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2025-02-18 16:24:00 UTC

* https://gitlab.gnome.org/GNOME/libxml2/-/commit/5880a9a6bd97c0f9ac8fc4f30110fe023f484746 ("[CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd")
* https://gitlab.gnome.org/GNOME/libxml2/-/commit/8c8753ad5280ee13aee5eec9b0f6eee2ed920f57 ("[CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements")

Comment 1 Sam James archtester

2025-02-18 16:28:45 UTC

```
--- /tmp/mgorny-dev-scripts/portage/dev-libs/libxml2-2.12.9/work/libxml2-2.12.9/NEWS    2024-07-24 14:55:06.000000000 +0100
+++ /tmp/mgorny-dev-scripts/portage/dev-libs/libxml2-2.12.10/work/libxml2-2.12.10/NEWS  2025-02-18 16:18:55.000000000 +0000
@@ -1,5 +1,33 @@
 NEWS file for libxml2

+v2.12.10: Feb 18 2025
+
+### Security
+
+- [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
+- [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd
+- pattern: Fix compilation of explicit child axis
[...]
```

Comment 2 Larry the Git Cow gentoo-dev

2025-02-18 16:33:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=552ab0018c9d8fb17e231c2b8357d54fa840a78b

commit 552ab0018c9d8fb17e231c2b8357d54fa840a78b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-02-18 16:32:50 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-02-18 16:33:11 +0000

    dev-libs/libxml2: add 2.13.6
    
    Bug: https://bugs.gentoo.org/949914
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   1 +
 dev-libs/libxml2/libxml2-2.13.6.ebuild | 190 +++++++++++++++++++++++++++++++++
 2 files changed, 191 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bc3ca88aedbc4c0cfacb2d5b92d1bcfaa4a3d8b

commit 7bc3ca88aedbc4c0cfacb2d5b92d1bcfaa4a3d8b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-02-18 16:27:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-02-18 16:33:11 +0000

    dev-libs/libxml2: add 2.12.10
    
    Bug: https://bugs.gentoo.org/949914
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest               |   1 +
 dev-libs/libxml2/libxml2-2.12.10.ebuild | 198 ++++++++++++++++++++++++++++++++
 2 files changed, 199 insertions(+)

Comment 3 Sam James archtester

2025-02-18 17:12:49 UTC

https://www.openwall.com/lists/oss-security/2025/02/18/2

Comment 4 Hanno Böck gentoo-dev

2025-03-15 20:02:23 UTC

Can we proceed here with stabilization?

Comment 5 Sam James archtester

2025-03-16 12:14:53 UTC

(In reply to Hanno Böck from comment #4)
> Can we proceed here with stabilization?

Yeah, new libxml2+libxslt often has regressions, but it should be fine now. Let's do the later libxslt.