Bug#1107720: marked as done (libxml2: CVE-2025-6021)

Fri, 18 Jul 2025 04:51:15 -0700 

Your message dated Fri, 18 Jul 2025 11:49:27 +0000
with message-id <[email protected]>
and subject line Bug#1107720: fixed in libxml2 2.12.7+dfsg+really2.9.14-2
has caused the Debian Bug report #1107720,
regarding libxml2: CVE-2025-6021
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1107720: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107720
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: libxml2.9
Version: 2.12.7+dfsg+really2.9.14-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.9.14+dfsg-1.3~deb12u1

Hi,

The following vulnerability was published for libxml2.

CVE-2025-6021[0]:
| A flaw was found in libxml2's xmlBuildQName function, where integer
| overflows in buffer size calculations can lead to a stack-based
| buffer overflow. This issue can result in memory corruption or a
| denial of service when processing crafted input.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-6021
    https://www.cve.org/CVERecord?id=CVE-2025-6021
[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
[2] 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: libxml2
Source-Version: 2.12.7+dfsg+really2.9.14-2
Done: Aron Xu <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 17 Jul 2025 17:09:57 +0200
Source: libxml2
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-2
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Aron Xu <[email protected]>
Closes: 1107720 1107755
Changes:
 libxml2 (2.12.7+dfsg+really2.9.14-2) unstable; urgency=medium
 .
   * Security fixes:
     - CVE-2025-6021: integer overflow in xmlBuildQName()
       (Closes: #1107720)
     - CVE-2025-{49794,49796}: use after free and type confusion in
       xmlSchematronReportOutput() (Closes: #1107755)
Checksums-Sha1:
 8f462753bfd03904871b09ca211c715bfcced930 2681 
libxml2_2.12.7+dfsg+really2.9.14-2.dsc
 1398a05419924cffdea3f2a1841ee7f68f16c00e 42264 
libxml2_2.12.7+dfsg+really2.9.14-2.debian.tar.xz
 e997f26db01de4857bf5b74219c44ae77c1aa5eb 5666 
libxml2_2.12.7+dfsg+really2.9.14-2_source.buildinfo
Checksums-Sha256:
 89ace991e5ff090efb13f16fdf80635dc50c2de7a8996ecae890372fcf9616a2 2681 
libxml2_2.12.7+dfsg+really2.9.14-2.dsc
 616a554f760d44e3f5a4947bc096d22f3ed8b66df17ff7e9affa81abe1d9d1b6 42264 
libxml2_2.12.7+dfsg+really2.9.14-2.debian.tar.xz
 4fb8285629d5239c1df68e1a752222ec4147635168ffc91fb7533f3ef8f34a09 5666 
libxml2_2.12.7+dfsg+really2.9.14-2_source.buildinfo
Files:
 a0aea9405acd079cd67796c3fadc564b 2681 libs optional 
libxml2_2.12.7+dfsg+really2.9.14-2.dsc
 04cba6991f6354667a8382571f5a53a6 42264 libs optional 
libxml2_2.12.7+dfsg+really2.9.14-2.debian.tar.xz
 e8380eacf3bcd5a621d25f32f180b45a 5666 libs optional 
libxml2_2.12.7+dfsg+really2.9.14-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEBLHAyuu1xqoC2aJ5NP8o68vMTMgFAmh6MLkACgkQNP8o68vM
TMjxMQf8CkvSnZylT4T2YHl/JyUao9ei0IstJ3GA6S1aqy7VQ6/Y6s13DheZ1SAy
omMEFeipZTCEMDIVHYD3TYSVk1Ts9Qd9IbzrCMtYeL0vIVxhTAqneenSxQCjFROa
mJ6NYkGZIZ+rY5ZmAXw5rFA9uRNov3HUv2FOIHqtiXheYYzdAhIR7naeVv3cKrmZ
NfcfIOw6bJrfZFgA7bqhR9YxbAwRhG11j6txxj0lBcIO1/fl2U4HteAF8+LDzunK
4sfcJ2GNhKsneyzA+y4p6/G9f/9hq9aMY11J2o5eMf4BDEyAqaJfrgrf3PMzTpWe
0Y3YcLQklXYsCsbxfQixYb/cAyX6cQ==
=hsdJ
-----END PGP SIGNATURE-----

Attachment: pgptRZgsIxsNI.pgp
Description: PGP signature


--- End Message ---

Reply via email to