Skip to content

Apply upstream patches to address multiple vulnerabilities #3526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 21, 2025
Merged

Apply upstream patches to address multiple vulnerabilities #3526

merged 1 commit into from
Jul 21, 2025
+414 −0

Conversation

flavorjones
Copy link
Member

What problem is this PR intended to solve?

Address multiple vulnerabilities that are patched in libxml 2.14.4 and 2.14.5 but do not appear in an official 2.13.x release.

  • CVE-2025-6021 - 17d950ae "tree: Fix integer overflow in xmlBuildQName"
  • CVE-2025-6170 - 5e9ec5c1 "Fix potential buffer overflows of interactive shell"
  • CVE-2025-49794 - 81cef8c5 "schematron: Fix xmlSchematronReportOutput"
  • CVE-2025-49795 - 62048278 "schematron: Fix null pointer dereference leading to DoS"
  • CVE-2025-49796 - 81cef8c5 "schematron: Fix xmlSchematronReportOutput"

See related GHSA-353f-x4gh-cqq8 which will be published when these patches appear in a release.

@flavorjones
Apply upstream patches to address multiple vulnerabilities
947a55e 
- CVE-2025-6021 - 17d950ae "tree: Fix integer overflow in xmlBuildQName"
- CVE-2025-6170 - 5e9ec5c1 "Fix potential buffer overflows of interactive shell"
- CVE-2025-49794 - 81cef8c5 "schematron: Fix xmlSchematronReportOutput"
- CVE-2025-49795 - 62048278 "schematron: Fix null pointer dereference leading to DoS"
- CVE-2025-49796 - 81cef8c5 "schematron: Fix xmlSchematronReportOutput"
@flavorjones
Copy link
Member Author

cc @elken @rekhaagarwal09

@flavorjones flavorjones mentioned this pull request Jul 20, 2025
Merged
@flavorjones flavorjones added this to the v1.18.x patch releases milestone Jul 20, 2025
@elken
Copy link

elken commented Jul 20, 2025

Thanks so much @flavorjones.

https://xkcd.com/2347/ feels very relevant here 😄

@flavorjones flavorjones merged commit a05d2b4 into v1.18.x Jul 21, 2025
140 of 145 checks passed
@flavorjones flavorjones deleted the flavorjones/libxml2-2.13-security-patches branch July 21, 2025 02:02
@rekhaagarwal09
Copy link

Thank you so much @flavorjones

@flavorjones
Copy link
Member Author

This was released in v1.18.9.

@elken elken mentioned this pull request Jul 21, 2025
Open
@github-actions github-actions bot mentioned this pull request Jul 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
topic/security vendored/libxml2
Projects
None yet
Milestone
v1.18.x patch releases
Development

Successfully merging this pull request may close these issues.
3 participants
@flavorjones @elken @rekhaagarwal09