[SECURITY] [DLA 4251-1] libxml2 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4251-1] libxml2 security update
From: Guilhem Moulin <guilhem@debian.org>
Date: Sat, 26 Jul 2025 21:10:08 +0200
Message-id: <[🔎] aIUoEGFxtd7kyvAd@debian.org>
Mail-followup-to: debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4251-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
July 26, 2025                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : libxml2
Version        : 2.9.10+dfsg-6.7+deb11u8
CVE ID         : CVE-2024-34459 CVE-2025-6021 CVE-2025-6170 CVE-2025-49794
                 CVE-2025-49796
Debian Bug     : 1071162 1107720 1107755 1107938

Multiple security issues were found in libxml2, the GNOME XML library,
which could yield to denial of service or potentially arbitrary code
execution.

CVE-2024-34459

    Zhineng Zhong discovered that formatting error messages with `xmllint
    --htmlout` could result in a buffer over-read.

CVE-2025-6021

    Ahmed Lekssays discovered an integer overflow issue in
    `xmlBuildQName()` which could result in memory corruption or a
    denial of service when processing crafted input.

CVE-2025-6170

    Ahmed Lekssays discovered a stack-based buffer overflow issue in the
    command-parsing logic of the interactive shell in xmllint.

CVE-2025-49794

    Nikita Sveshnikov discovered a heap use-after-free issue in the
    schematron.  When processing XPath expressions in Schematron schema
    elements `<sch:name path="…"/>`, a pointer to freed memory is
    returned and then accessed, leading to undefined behavior or
    potential crashes.

CVE-2025-49796

    Nikita Sveshnikov discovered a type confusion issue in the
    schematron.  Processing `sch:name` elements and accessing namespace
    information may lead to leading to memory corruption or undefined
    behavior.

For Debian 11 bullseye, these problems have been fixed in version
2.9.10+dfsg-6.7+deb11u8.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4250-1] firefox-esr security update
Next by Date: [SECURITY] [DLA 4252-1] snapcast security update
Previous by thread: [SECURITY] [DLA 4250-1] firefox-esr security update
Next by thread: [SECURITY] [DLA 4252-1] snapcast security update
Index(es):
- Date
- Thread