Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <81cb4047-7a23-498b-8bb5-ae0c84d540a1@oracle.com>
Date: Mon, 16 Jun 2025 15:12:25 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: 5 security issues disclosed in libxml2

As discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 the
security policy of libxml2 has been changed to disclose vulnerabilities
before fixes are available so that people other than the maintainer can
contribute to fixing security issues in this library.

As part of this, the following 5 CVE's have been disclosed recently:

(CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/931

   Description: A Heap Use After Free (UAF) vulnerability was
   discovered in the Schematron in the libxml2. The issue arises in the
   xmlSchematronGetNode function when processing XPath expressions in
   Schematron schema elements <sch:name path="..."/>, where a pointer
   to freed memory is returned and then accessed, leading to undefined
   behavior and potential crashes.

   Vulnerable component: The xmlSchematronGetNode function extracts a
   pointer to a node from an XPath node set and then immediately frees
   the entire XPath object containing that node set, rendering the
   returned pointer invalid.

   Researcher: Nikita Sveshnikov (Positive Technologies)

(CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/932

   Description: A null pointer dereference vulnerability was discovered
   in the libxml2. The issue occurs in the xmlSchematronFormatReport
   function when processing incorrect XPath expressions in Schematron
   schema reports, leading to undefined behavior and potential crashes.

   Vulnerable component: The xmlXPathCompiledEval() function can return
   NULL when evaluating invalid XPath expressions, but the code
   immediately dereferences the returned pointer without checking for
   NULL.

   Researcher: Nikita Sveshnikov (Positive Technologies)

(CVE-2025-49796) Type confusion leads to Denial of service (DoS)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/933

   Description: a vulnerability causing undefined behavior was
   discovered in the Schematron in the libxml2. The issue arises in the
   xmlSchematronFormatReport function when processing sch:name
   elements, leading to memory corruption and undefined behavior when
   accessing namespace information.

   Vulnerable component: Memory corruption occurs during namespace
   processing, resulting in the assignment of a corrupted pointer
   (0xffffffffffffffff) to node->ns. When the code attempts to access
   node->ns->prefix, it dereferences this invalid pointer, causing
   undefined behavior.

   Researcher: Nikita Sveshnikov (Positive Technologies)

For all three of the above, note that upstream is considering removing
Schematron support completely, as discussed in
https://gitlab.gnome.org/GNOME/libxml2/-/issues/935 .

(CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName()
https://gitlab.gnome.org/GNOME/libxml2/-/issues/926

   Description: The xmlBuildQName function in tree.c is vulnerable to
   an integer overflow when calculating the required buffer size for
   concatenating a prefix and a local name (ncname). The lengths of
   ncname and prefix are retrieved using strlen (which returns size_t)
   but are then implicitly cast to int variables lenn and lenp.

   Discovered by: Ahmed Lekssays (Qatar Computing Research Institute)

   Fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c

(CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell
https://gitlab.gnome.org/GNOME/libxml2/-/issues/941

   Summary: A stack-based buffer overflow vulnerability exists in the
   command-parsing logic of the interactive shell in xmllint. An
   attacker can supply an overly long argument to any shell command,
   triggering an unbounded memory copy that overflows a fixed-size
   buffer on the stack. This leads to a reliable Denial of Service and
   could be leveraged for Arbitrary Code Execution on systems without
   exploit mitigations.

   Discovered by: Ahmed Lekssays (Qatar Computing Research Institute)

BTW, users of libxml2 may also be using its sibling project, libxslt,
which currently has no active maintainer, but has three unfixed security issues
reported against it according to
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.