On Sat, Nov 08, 2025 at 10:11:36AM +0100, Salvatore Bonaccorso wrote: > Source: libxml2 > Version: 2.15.1+dfsg-0.3 > Severity: important > Tags: security upstream > Forwarded: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1012 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for libxml2. > > CVE-2025-12863[0]: > | A flaw was found in the xmlSetTreeDoc() function of the libxml2 XML > | parsing library. This function is responsible for updating document > | pointers when XML nodes are moved between documents. Due to improper > | handling of namespace references, a namespace pointer may remain > | linked to a freed memory region when the original document is > | destroyed. As a result, subsequent operations that access the > | namespace can lead to a use-after-free condition, causing an > | application crash. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-12863 > https://www.cve.org/CVERecord?id=CVE-2025-12863 > [1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1012 > > Please adjust the affected versions in the BTS as needed.
Please note that this CVE has been rejected, more details are in https://gitlab.gnome.org/GNOME/libxml2/-/issues/1012#note_2608283 and following. So I think the patch applied in 2.15.1+dfsg-0.4 should be dropped again. Regards, Salvatore
