* https://gitlab.gnome.org/GNOME/libxml2/-/commit/5880a9a6bd97c0f9ac8fc4f30110fe023f484746 ("[CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd") * https://gitlab.gnome.org/GNOME/libxml2/-/commit/8c8753ad5280ee13aee5eec9b0f6eee2ed920f57 ("[CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements")
``` --- /tmp/mgorny-dev-scripts/portage/dev-libs/libxml2-2.12.9/work/libxml2-2.12.9/NEWS 2024-07-24 14:55:06.000000000 +0100 +++ /tmp/mgorny-dev-scripts/portage/dev-libs/libxml2-2.12.10/work/libxml2-2.12.10/NEWS 2025-02-18 16:18:55.000000000 +0000 @@ -1,5 +1,33 @@ NEWS file for libxml2 +v2.12.10: Feb 18 2025 + +### Security + +- [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements +- [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd +- pattern: Fix compilation of explicit child axis [...] ```
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=552ab0018c9d8fb17e231c2b8357d54fa840a78b commit 552ab0018c9d8fb17e231c2b8357d54fa840a78b Author: Sam James <sam@gentoo.org> AuthorDate: 2025-02-18 16:32:50 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-02-18 16:33:11 +0000 dev-libs/libxml2: add 2.13.6 Bug: https://bugs.gentoo.org/949914 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxml2/Manifest | 1 + dev-libs/libxml2/libxml2-2.13.6.ebuild | 190 +++++++++++++++++++++++++++++++++ 2 files changed, 191 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bc3ca88aedbc4c0cfacb2d5b92d1bcfaa4a3d8b commit 7bc3ca88aedbc4c0cfacb2d5b92d1bcfaa4a3d8b Author: Sam James <sam@gentoo.org> AuthorDate: 2025-02-18 16:27:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-02-18 16:33:11 +0000 dev-libs/libxml2: add 2.12.10 Bug: https://bugs.gentoo.org/949914 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxml2/Manifest | 1 + dev-libs/libxml2/libxml2-2.12.10.ebuild | 198 ++++++++++++++++++++++++++++++++ 2 files changed, 199 insertions(+)
https://www.openwall.com/lists/oss-security/2025/02/18/2
Can we proceed here with stabilization?
(In reply to Hanno Böck from comment #4) > Can we proceed here with stabilization? Yeah, new libxml2+libxslt often has regressions, but it should be fine now. Let's do the later libxslt.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e818ac442b67686b49a5d811533a4990fb69a64 commit 6e818ac442b67686b49a5d811533a4990fb69a64 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-05-11 03:59:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-05-11 03:59:11 +0000 dev-libs/libxslt: drop 1.1.39-r1, 1.1.42 Bug: https://bugs.gentoo.org/949914 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxslt/Manifest | 2 - .../files/libxslt-1.1.39-libxml2-2.11-tests.patch | 24 ---- dev-libs/libxslt/libxslt-1.1.39-r1.ebuild | 128 --------------------- dev-libs/libxslt/libxslt-1.1.42.ebuild | 123 -------------------- 4 files changed, 277 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9302e6747a1e2a100abca96c4dc412ae325026a7 commit 9302e6747a1e2a100abca96c4dc412ae325026a7 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-05-11 03:58:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-05-11 03:58:52 +0000 dev-libs/libxml2: drop 2.11.9, 2.12.9, 2.12.10 Bug: https://bugs.gentoo.org/949914 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxml2/Manifest | 5 +- .../files/libxml2-2.11.5-CVE-2023-45322.patch | 71 -------- .../files/libxml2-2.11.9-icu-pkgconfig.patch | 19 -- dev-libs/libxml2/libxml2-2.11.9.ebuild | 201 --------------------- dev-libs/libxml2/libxml2-2.12.10.ebuild | 198 -------------------- dev-libs/libxml2/libxml2-2.12.9.ebuild | 198 -------------------- 6 files changed, 1 insertion(+), 691 deletions(-)