--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libxml2.9
User: [email protected]
Usertags: pu
[ Reason ]
Fix <no-dsa> issue CVE-2025-9714 and improve existing mitigation for
CVE-2025-7425.
[ Impact ]
Users will remain vulnerable to CVE-2025-9714, and will regress when
upgrading (a fix was uploaded to Bullseye LTS).
[ Tests ]
1/ PoC (from libxslt) at https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
and https://gitlab.gnome.org/GNOME/libxslt/-/issues/148 .
2/ Autopkgtests for reverse (build-)dependencies.
[ Risks ]
The upstream fix for CVE-2025-9714 trivially applies to
2.9.14+dfsg-1.3~deb12u4.
Backporting the mitigation for CVE-2025-7425 from
https://gitlab.gnome.org/-/project/1762/uploads/302ecfda701895ebd0fa438a66d1a7a4/gnome-libxslt-bug-140-apple-fix.diff
was more involved. Improvements over the existing
d/p/CVE-2025-7425.patch were discussed offlist with Aron Xu; a version
containing the resulting patch was uploaded to Bullseye LTS.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in oldstable
[*] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2025-9714: Denial of service vulnerability via uncontrolled
recursion in XPath evaluation.
* Amend d/p/CVE-2025-7425.patch to better reflect the original fix.
--
Guilhem.
diffstat for libxml2-2.9.14+dfsg libxml2-2.9.14+dfsg
changelog | 9
patches/CVE-2025-7425.patch | 441 +++++++++++++++-----------------------------
patches/CVE-2025-9714.patch | 113 +++++++++++
patches/series | 1
4 files changed, 277 insertions(+), 287 deletions(-)
diff -Nru libxml2-2.9.14+dfsg/debian/changelog
libxml2-2.9.14+dfsg/debian/changelog
--- libxml2-2.9.14+dfsg/debian/changelog 2025-08-25 13:30:10.000000000
+0200
+++ libxml2-2.9.14+dfsg/debian/changelog 2025-10-11 14:41:17.000000000
+0200
@@ -1,3 +1,12 @@
+libxml2 (2.9.14+dfsg-1.3~deb12u5) bookworm; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-9714: Denial of service vulnerability via uncontrolled
+ recursion in XPath evaluation.
+ * Amend d/p/CVE-2025-7425.patch to better reflect the original fix.
+
+ -- Guilhem Moulin <[email protected]> Sat, 11 Oct 2025 14:41:17 +0200
+
libxml2 (2.9.14+dfsg-1.3~deb12u4) bookworm-security; urgency=high
* CVE-2025-7425: heap-use-after-free in xmlFreeID caused by `atype`
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-7425.patch
libxml2-2.9.14+dfsg/debian/patches/CVE-2025-7425.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-7425.patch 2025-08-25
13:29:44.000000000 +0200
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-7425.patch 2025-10-11
14:41:17.000000000 +0200
@@ -59,35 +59,42 @@
(xmlSchemaValAtomicType):
- Adopt macros by renaming the struct fields, recompiling and fixing
compiler failures, then changing the struct field names back.
+
+Origin:
https://gitlab.gnome.org/-/project/1762/uploads/302ecfda701895ebd0fa438a66d1a7a4/gnome-libxslt-bug-140-apple-fix.diff
+Bug: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2379274
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-7425
+Bug-Debian: https://bugs.debian.org/1109122
---
- HTMLparser.c | 1 +
- SAX2.c | 6 ++--
- include/libxml/tree.h | 14 ++++++++-
- parser.c | 8 ++---
- runxmlconf.c | 4 +--
- tree.c | 20 ++++++-------
- valid.c | 68 +++++++++++++++++++++----------------------
- xmlreader.c | 30 +++++++++----------
- xmlschemas.c | 4 +--
- xmlschemastypes.c | 12 ++++----
- 10 files changed, 90 insertions(+), 77 deletions(-)
+ HTMLparser.c | 2 +-
+ SAX2.c | 6 +++---
+ include/libxml/tree.h | 14 +++++++++++++-
+ parser.c | 26 +++++++++++++-------------
+ runxmlconf.c | 4 ++--
+ tree.c | 20 ++++++++++----------
+ valid.c | 16 ++++++++--------
+ xmlreader.c | 30 +++++++++++++++---------------
+ xmlschemas.c | 4 ++--
+ xmlschemastypes.c | 12 ++++++------
+ 10 files changed, 73 insertions(+), 61 deletions(-)
-Index: libxml2-2.9.14+dfsg/HTMLparser.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/HTMLparser.c
-+++ libxml2-2.9.14+dfsg/HTMLparser.c
-@@ -2514,6 +2514,7 @@ htmlNewDocNoDtD(const xmlChar *URI, cons
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 4a56fb1..eabca3a 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -2514,7 +2514,7 @@ htmlNewDocNoDtD(const xmlChar *URI, const xmlChar
*ExternalID) {
cur->refs = NULL;
cur->_private = NULL;
cur->charset = XML_CHAR_ENCODING_UTF8;
+- cur->properties = XML_DOC_HTML | XML_DOC_USERBUILT;
+ XML_DOC_SET_PROPERTIES(cur, XML_DOC_HTML | XML_DOC_USERBUILT);
- cur->properties = XML_DOC_HTML | XML_DOC_USERBUILT;
if ((ExternalID != NULL) ||
(URI != NULL))
-Index: libxml2-2.9.14+dfsg/SAX2.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/SAX2.c
-+++ libxml2-2.9.14+dfsg/SAX2.c
+ xmlCreateIntSubset(cur, BAD_CAST "html", ExternalID, URI);
+diff --git a/SAX2.c b/SAX2.c
+index f7c77c2..0d8e84a 100644
+--- a/SAX2.c
++++ b/SAX2.c
@@ -970,7 +970,7 @@ xmlSAX2StartDocument(void *ctx)
xmlSAX2ErrMemory(ctxt, "xmlSAX2StartDocument");
return;
@@ -109,10 +116,10 @@
doc->parseFlags = ctxt->options;
if (ctxt->encoding != NULL)
doc->encoding = xmlStrdup(ctxt->encoding);
-Index: libxml2-2.9.14+dfsg/include/libxml/tree.h
-===================================================================
---- libxml2-2.9.14+dfsg.orig/include/libxml/tree.h
-+++ libxml2-2.9.14+dfsg/include/libxml/tree.h
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 1e79be9..61178b2 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
@@ -365,7 +365,6 @@ struct _xmlElement {
#endif
};
@@ -155,11 +162,11 @@
typedef struct _xmlDOMWrapCtxt xmlDOMWrapCtxt;
typedef xmlDOMWrapCtxt *xmlDOMWrapCtxtPtr;
-Index: libxml2-2.9.14+dfsg/parser.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/parser.c
-+++ libxml2-2.9.14+dfsg/parser.c
-@@ -5523,7 +5523,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
+diff --git a/parser.c b/parser.c
+index 603c0b3..f859296 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5523,7 +5523,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
xmlErrMemory(ctxt, "New Doc failed");
return;
}
@@ -168,7 +175,7 @@
}
if (ctxt->myDoc->intSubset == NULL)
ctxt->myDoc->intSubset = xmlNewDtd(ctxt->myDoc,
-@@ -5594,7 +5594,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
+@@ -5594,7 +5594,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
xmlErrMemory(ctxt, "New Doc failed");
return;
}
@@ -177,7 +184,7 @@
}
if (ctxt->myDoc->intSubset == NULL)
-@@ -7035,7 +7035,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr
+@@ -7035,7 +7035,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const
xmlChar *ExternalID,
xmlErrMemory(ctxt, "New Doc failed");
return;
}
@@ -186,7 +193,7 @@
}
if ((ctxt->myDoc != NULL) && (ctxt->myDoc->intSubset == NULL))
xmlCreateIntSubset(ctxt->myDoc, NULL, ExternalID, SystemID);
-@@ -7419,7 +7419,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+@@ -7419,7 +7419,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
(nw != NULL) &&
(nw->type == XML_ELEMENT_NODE) &&
(nw->children == NULL))
@@ -195,11 +202,74 @@
break;
}
-Index: libxml2-2.9.14+dfsg/runxmlconf.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/runxmlconf.c
-+++ libxml2-2.9.14+dfsg/runxmlconf.c
-@@ -197,7 +197,7 @@ xmlconfTestInvalid(const char *id, const
+@@ -10858,13 +10858,13 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ }
+
+ if ((ctxt->wellFormed) && (ctxt->myDoc != NULL)) {
+- ctxt->myDoc->properties |= XML_DOC_WELLFORMED;
++ XML_DOC_ADD_PROPERTIES(ctxt->myDoc, XML_DOC_WELLFORMED);
+ if (ctxt->valid)
+- ctxt->myDoc->properties |= XML_DOC_DTDVALID;
++ XML_DOC_ADD_PROPERTIES(ctxt->myDoc, XML_DOC_DTDVALID);
+ if (ctxt->nsWellFormed)
+- ctxt->myDoc->properties |= XML_DOC_NSVALID;
++ XML_DOC_ADD_PROPERTIES(ctxt->myDoc, XML_DOC_NSVALID);
+ if (ctxt->options & XML_PARSE_OLD10)
+- ctxt->myDoc->properties |= XML_DOC_OLD10;
++ XML_DOC_ADD_PROPERTIES(ctxt->myDoc, XML_DOC_OLD10);
+ }
+ if (! ctxt->wellFormed) {
+ ctxt->valid = 0;
+@@ -12748,7 +12748,7 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax,
xmlParserInputBufferPtr input,
+ xmlErrMemory(ctxt, "New Doc failed");
+ return(NULL);
+ }
+- ctxt->myDoc->properties = XML_DOC_INTERNAL;
++ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
+ ctxt->myDoc->extSubset = xmlNewDtd(ctxt->myDoc, BAD_CAST "none",
+ BAD_CAST "none", BAD_CAST "none");
+
+@@ -12897,7 +12897,7 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const xmlChar
*ExternalID,
+ xmlFreeParserCtxt(ctxt);
+ return(NULL);
+ }
+- ctxt->myDoc->properties = XML_DOC_INTERNAL;
++ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
+ ctxt->myDoc->extSubset = xmlNewDtd(ctxt->myDoc, BAD_CAST "none",
+ ExternalID, SystemID);
+ xmlParseExternalSubset(ctxt, ExternalID, SystemID);
+@@ -13047,7 +13047,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr doc,
xmlParserCtxtPtr oldctxt,
+ xmlFreeParserCtxt(ctxt);
+ return(XML_ERR_INTERNAL_ERROR);
+ }
+- newDoc->properties = XML_DOC_INTERNAL;
++ XML_DOC_SET_PROPERTIES(newDoc, XML_DOC_INTERNAL);
+ if (doc) {
+ newDoc->intSubset = doc->intSubset;
+ newDoc->extSubset = doc->extSubset;
+@@ -13366,7 +13366,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr
oldctxt,
+ xmlFreeParserCtxt(ctxt);
+ return(XML_ERR_INTERNAL_ERROR);
+ }
+- newDoc->properties = XML_DOC_INTERNAL;
++ XML_DOC_SET_PROPERTIES(newDoc, XML_DOC_INTERNAL);
+ newDoc->dict = ctxt->dict;
+ xmlDictReference(newDoc->dict);
+ ctxt->myDoc = newDoc;
+@@ -13768,7 +13768,7 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc,
xmlSAXHandlerPtr sax,
+ xmlFreeParserCtxt(ctxt);
+ return(-1);
+ }
+- newDoc->properties = XML_DOC_INTERNAL;
++ XML_DOC_SET_PROPERTIES(newDoc, XML_DOC_INTERNAL);
+ if ((doc != NULL) && (doc->dict != NULL)) {
+ xmlDictFree(ctxt->dict);
+ ctxt->dict = doc->dict;
+diff --git a/runxmlconf.c b/runxmlconf.c
+index 8a37aa8..601a0af 100644
+--- a/runxmlconf.c
++++ b/runxmlconf.c
+@@ -197,7 +197,7 @@ xmlconfTestInvalid(const char *id, const char *filename,
int options) {
id, filename);
} else {
/* invalidity should be reported both in the context and in the document
*/
@@ -208,7 +278,7 @@
test_log("test %s : %s failed to detect invalid document\n",
id, filename);
nb_errors++;
-@@ -229,7 +229,7 @@ xmlconfTestValid(const char *id, const c
+@@ -229,7 +229,7 @@ xmlconfTestValid(const char *id, const char *filename, int
options) {
ret = 0;
} else {
/* validity should be reported both in the context and in the document */
@@ -217,10 +287,10 @@
test_log("test %s : %s failed to validate a valid document\n",
id, filename);
nb_errors++;
-Index: libxml2-2.9.14+dfsg/tree.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/tree.c
-+++ libxml2-2.9.14+dfsg/tree.c
+diff --git a/tree.c b/tree.c
+index 60cc6f4..2ce9f7e 100644
+--- a/tree.c
++++ b/tree.c
@@ -1192,7 +1192,7 @@ xmlNewDoc(const xmlChar *version) {
cur->compression = -1; /* not initialized */
cur->doc = cur;
@@ -239,7 +309,7 @@
xmlRemoveID(cur->doc, cur);
}
if (cur->children != NULL) xmlFreeNodeList(cur->children);
-@@ -2838,7 +2838,7 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr
+@@ -2838,7 +2838,7 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr doc) {
if(tree->type == XML_ELEMENT_NODE) {
prop = tree->properties;
while (prop != NULL) {
@@ -248,7 +318,7 @@
xmlRemoveID(tree->doc, prop);
}
-@@ -6952,9 +6952,9 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr n
+@@ -6952,9 +6952,9 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar
*name,
/*
* Modify the attribute's value.
*/
@@ -260,7 +330,7 @@
}
if (prop->children != NULL)
xmlFreeNodeList(prop->children);
-@@ -6974,7 +6974,7 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr n
+@@ -6974,7 +6974,7 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar
*name,
tmp = tmp->next;
}
}
@@ -292,7 +362,7 @@
((xmlAttrPtr) cur)->psvi = NULL;
}
break;
-@@ -9991,7 +9991,7 @@ xmlDOMWrapAdoptAttr(xmlDOMWrapCtxtPtr ct
+@@ -9991,7 +9991,7 @@ xmlDOMWrapAdoptAttr(xmlDOMWrapCtxtPtr ctxt,
}
XML_TREE_ADOPT_STR(attr->name);
@@ -301,20 +371,11 @@
attr->psvi = NULL;
/*
* Walk content.
-Index: libxml2-2.9.14+dfsg/valid.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/valid.c
-+++ libxml2-2.9.14+dfsg/valid.c
-@@ -1906,7 +1906,7 @@ xmlScanIDAttributeDecl(xmlValidCtxtPtr c
- if (elem == NULL) return(0);
- cur = elem->attributes;
- while (cur != NULL) {
-- if (cur->atype == XML_ATTRIBUTE_ID) {
-+ if (XML_ATTR_GET_ATYPE(cur) == XML_ATTRIBUTE_ID) {
- ret ++;
- if ((ret > 1) && (err))
- xmlErrValidNode(ctxt, (xmlNodePtr) elem, XML_DTD_MULTIPLE_ID,
-@@ -2279,7 +2279,7 @@ xmlDumpAttributeDecl(xmlBufferPtr buf, x
+diff --git a/valid.c b/valid.c
+index 36a0435..28822a2 100644
+--- a/valid.c
++++ b/valid.c
+@@ -2279,7 +2279,7 @@ xmlDumpAttributeDecl(xmlBufferPtr buf, xmlAttributePtr
attr) {
xmlBufferWriteChar(buf, ":");
}
xmlBufferWriteCHAR(buf, attr->name);
@@ -323,7 +384,7 @@
case XML_ATTRIBUTE_CDATA:
xmlBufferWriteChar(buf, " CDATA");
break;
-@@ -2758,7 +2758,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr
+@@ -2758,7 +2758,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const
xmlChar *value,
return(NULL);
}
if (attr != NULL)
@@ -332,16 +393,7 @@
return(ret);
}
-@@ -2837,7 +2837,7 @@ xmlIsID(xmlDocPtr doc, xmlNodePtr elem,
- if ((fullelemname != felem) && (fullelemname != elem->name))
- xmlFree(fullelemname);
-
-- if ((attrDecl != NULL) && (attrDecl->atype == XML_ATTRIBUTE_ID))
-+ if ((attrDecl != NULL) && (XML_ATTR_GET_ATYPE(attrDecl) ==
XML_ATTRIBUTE_ID))
- return(1);
- }
- return(0);
-@@ -2878,7 +2878,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr at
+@@ -2878,7 +2878,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
xmlHashRemoveEntry(table, ID, xmlFreeIDTableEntry);
xmlFree(ID);
@@ -350,18 +402,7 @@
return(0);
}
-@@ -3157,8 +3157,8 @@ xmlIsRef(xmlDocPtr doc, xmlNodePtr elem,
- elem->name, attr->name);
-
- if ((attrDecl != NULL) &&
-- (attrDecl->atype == XML_ATTRIBUTE_IDREF ||
-- attrDecl->atype == XML_ATTRIBUTE_IDREFS))
-+ (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREF ||
-+ XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREFS))
- return(1);
- }
- return(0);
-@@ -3532,7 +3532,7 @@ xmlIsMixedElement(xmlDocPtr doc, const x
+@@ -3532,7 +3532,7 @@ xmlIsMixedElement(xmlDocPtr doc, const xmlChar *name) {
static int
xmlIsDocNameStartChar(xmlDocPtr doc, int c) {
@@ -370,7 +411,7 @@
/*
* Use the new checks of production [4] [4a] amd [5] of the
* Update 5 of XML-1.0
-@@ -3562,7 +3562,7 @@ xmlIsDocNameStartChar(xmlDocPtr doc, int
+@@ -3562,7 +3562,7 @@ xmlIsDocNameStartChar(xmlDocPtr doc, int c) {
static int
xmlIsDocNameChar(xmlDocPtr doc, int c) {
@@ -379,155 +420,16 @@
/*
* Use the new checks of production [4] [4a] amd [5] of the
* Update 5 of XML-1.0
-@@ -4112,7 +4112,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlV
-
- if (attrDecl == NULL)
- return(NULL);
-- if (attrDecl->atype == XML_ATTRIBUTE_CDATA)
-+ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_CDATA)
- return(NULL);
-
- ret = xmlStrdup(value);
-@@ -4174,7 +4174,7 @@ xmlValidNormalizeAttributeValue(xmlDocPt
-
- if (attrDecl == NULL)
- return(NULL);
-- if (attrDecl->atype == XML_ATTRIBUTE_CDATA)
-+ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_CDATA)
- return(NULL);
-
- ret = xmlStrdup(value);
-@@ -4189,7 +4189,7 @@ xmlValidateAttributeIdCallback(void *pay
- const xmlChar *name ATTRIBUTE_UNUSED) {
- xmlAttributePtr attr = (xmlAttributePtr) payload;
- int *count = (int *) data;
-- if (attr->atype == XML_ATTRIBUTE_ID) (*count)++;
-+ if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_ID) (*count)++;
- }
-
- /**
-@@ -4221,7 +4221,7 @@ xmlValidateAttributeDecl(xmlValidCtxtPtr
- /* Attribute Default Legal */
- /* Enumeration */
- if (attr->defaultValue != NULL) {
-- val = xmlValidateAttributeValueInternal(doc, attr->atype,
-+ val = xmlValidateAttributeValueInternal(doc, XML_ATTR_GET_ATYPE(attr),
- attr->defaultValue);
- if (val == 0) {
- xmlErrValidNode(ctxt, (xmlNodePtr) attr, XML_DTD_ATTRIBUTE_DEFAULT,
-@@ -4232,7 +4232,7 @@ xmlValidateAttributeDecl(xmlValidCtxtPtr
- }
-
- /* ID Attribute Default */
-- if ((attr->atype == XML_ATTRIBUTE_ID)&&
-+ if ((XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_ID)&&
- (attr->def != XML_ATTRIBUTE_IMPLIED) &&
- (attr->def != XML_ATTRIBUTE_REQUIRED)) {
- xmlErrValidNode(ctxt, (xmlNodePtr) attr, XML_DTD_ID_FIXED,
-@@ -4242,7 +4242,7 @@ xmlValidateAttributeDecl(xmlValidCtxtPtr
- }
-
- /* One ID per Element Type */
-- if (attr->atype == XML_ATTRIBUTE_ID) {
-+ if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_ID) {
- int nbId;
-
- /* the trick is that we parse DtD as their own internal subset */
-@@ -4501,9 +4501,9 @@ xmlValidateOneAttribute(xmlValidCtxtPtr
+@@ -4501,7 +4501,7 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr
doc,
attr->name, elem->name, NULL);
return(0);
}
- attr->atype = attrDecl->atype;
+ XML_ATTR_SET_ATYPE(attr, attrDecl->atype);
-- val = xmlValidateAttributeValueInternal(doc, attrDecl->atype, value);
-+ val = xmlValidateAttributeValueInternal(doc,
XML_ATTR_GET_ATYPE(attrDecl), value);
+ val = xmlValidateAttributeValueInternal(doc, attrDecl->atype, value);
if (val == 0) {
- xmlErrValidNode(ctxt, elem, XML_DTD_ATTRIBUTE_VALUE,
- "Syntax of value for attribute %s of %s is not valid\n",
-@@ -4522,19 +4522,19 @@ xmlValidateOneAttribute(xmlValidCtxtPtr
- }
-
- /* Validity Constraint: ID uniqueness */
-- if (attrDecl->atype == XML_ATTRIBUTE_ID) {
-+ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ID) {
- if (xmlAddID(ctxt, doc, value, attr) == NULL)
- ret = 0;
- }
-
-- if ((attrDecl->atype == XML_ATTRIBUTE_IDREF) ||
-- (attrDecl->atype == XML_ATTRIBUTE_IDREFS)) {
-+ if ((XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREF) ||
-+ (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREFS)) {
- if (xmlAddRef(ctxt, doc, value, attr) == NULL)
- ret = 0;
- }
-
- /* Validity Constraint: Notation Attributes */
-- if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
-+ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_NOTATION) {
- xmlEnumerationPtr tree = attrDecl->tree;
- xmlNotationPtr nota;
-
-@@ -4564,7 +4564,7 @@ xmlValidateOneAttribute(xmlValidCtxtPtr
- }
-
- /* Validity Constraint: Enumeration */
-- if (attrDecl->atype == XML_ATTRIBUTE_ENUMERATION) {
-+ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ENUMERATION) {
- xmlEnumerationPtr tree = attrDecl->tree;
- while (tree != NULL) {
- if (xmlStrEqual(tree->name, value)) break;
-@@ -4589,7 +4589,7 @@ xmlValidateOneAttribute(xmlValidCtxtPtr
-
- /* Extra check for the attribute value */
- ret &= xmlValidateAttributeValue2(ctxt, doc, attr->name,
-- attrDecl->atype, value);
-+ XML_ATTR_GET_ATYPE(attrDecl), value);
-
- return(ret);
- }
-@@ -4688,7 +4688,7 @@ xmlNodePtr elem, const xmlChar *prefix,
- return(0);
- }
-
-- val = xmlValidateAttributeValueInternal(doc, attrDecl->atype, value);
-+ val = xmlValidateAttributeValueInternal(doc,
XML_ATTR_GET_ATYPE(attrDecl), value);
- if (val == 0) {
- if (ns->prefix != NULL) {
- xmlErrValidNode(ctxt, elem, XML_DTD_INVALID_DEFAULT,
-@@ -4738,7 +4738,7 @@ xmlNodePtr elem, const xmlChar *prefix,
- #endif
-
- /* Validity Constraint: Notation Attributes */
-- if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
-+ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_NOTATION) {
- xmlEnumerationPtr tree = attrDecl->tree;
- xmlNotationPtr nota;
-
-@@ -4780,7 +4780,7 @@ xmlNodePtr elem, const xmlChar *prefix,
- }
-
- /* Validity Constraint: Enumeration */
-- if (attrDecl->atype == XML_ATTRIBUTE_ENUMERATION) {
-+ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ENUMERATION) {
- xmlEnumerationPtr tree = attrDecl->tree;
- while (tree != NULL) {
- if (xmlStrEqual(tree->name, value)) break;
-@@ -4818,10 +4818,10 @@ xmlNodePtr elem, const xmlChar *prefix,
- /* Extra check for the attribute value */
- if (ns->prefix != NULL) {
- ret &= xmlValidateAttributeValue2(ctxt, doc, ns->prefix,
-- attrDecl->atype, value);
-+ XML_ATTR_GET_ATYPE(attrDecl), value);
- } else {
- ret &= xmlValidateAttributeValue2(ctxt, doc, BAD_CAST "xmlns",
-- attrDecl->atype, value);
-+ XML_ATTR_GET_ATYPE(attrDecl), value);
- }
-
- return(ret);
-@@ -6574,7 +6574,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCt
+@@ -6574,7 +6574,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCtxtPtr ctxt,
while (IS_BLANK_CH(*cur)) cur++;
}
xmlFree(dup);
@@ -536,7 +438,7 @@
id = xmlGetID(ctxt->doc, name);
if (id == NULL) {
xmlErrValidNode(ctxt, attr->parent, XML_DTD_UNKNOWN_ID,
-@@ -6582,7 +6582,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCt
+@@ -6582,7 +6582,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCtxtPtr ctxt,
attr->name, name, NULL);
ctxt->valid = 0;
}
@@ -545,46 +447,11 @@
xmlChar *dup, *str = NULL, *cur, save;
dup = xmlStrdup(name);
-@@ -6782,7 +6782,7 @@ xmlValidateAttributeCallback(void *paylo
-
- if (cur == NULL)
- return;
-- switch (cur->atype) {
-+ switch (XML_ATTR_GET_ATYPE(cur)) {
- case XML_ATTRIBUTE_CDATA:
- case XML_ATTRIBUTE_ID:
- case XML_ATTRIBUTE_IDREF :
-@@ -6797,7 +6797,7 @@ xmlValidateAttributeCallback(void *paylo
- if (cur->defaultValue != NULL) {
-
- ret = xmlValidateAttributeValue2(ctxt, ctxt->doc, cur->name,
-- cur->atype, cur->defaultValue);
-+ XML_ATTR_GET_ATYPE(cur),
cur->defaultValue);
- if ((ret == 0) && (ctxt->valid == 1))
- ctxt->valid = 0;
- }
-@@ -6805,14 +6805,14 @@ xmlValidateAttributeCallback(void *paylo
- xmlEnumerationPtr tree = cur->tree;
- while (tree != NULL) {
- ret = xmlValidateAttributeValue2(ctxt, ctxt->doc,
-- cur->name, cur->atype, tree->name);
-+ cur->name, XML_ATTR_GET_ATYPE(cur),
tree->name);
- if ((ret == 0) && (ctxt->valid == 1))
- ctxt->valid = 0;
- tree = tree->next;
- }
- }
- }
-- if (cur->atype == XML_ATTRIBUTE_NOTATION) {
-+ if (XML_ATTR_GET_ATYPE(cur) == XML_ATTRIBUTE_NOTATION) {
- doc = cur->doc;
- if (cur->elem == NULL) {
- xmlErrValid(ctxt, XML_ERR_INTERNAL_ERROR,
-Index: libxml2-2.9.14+dfsg/xmlreader.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/xmlreader.c
-+++ libxml2-2.9.14+dfsg/xmlreader.c
-@@ -753,7 +753,7 @@ xmlTextReaderStartElement(void *ctx, con
+diff --git a/xmlreader.c b/xmlreader.c
+index 67ff2cd..2a1a66a 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -753,7 +753,7 @@ xmlTextReaderStartElement(void *ctx, const xmlChar
*fullname,
if ((ctxt->node != NULL) && (ctxt->input != NULL) &&
(ctxt->input->cur != NULL) && (ctxt->input->cur[0] == '/') &&
(ctxt->input->cur[1] == '>'))
@@ -674,7 +541,7 @@
xmlNodePtr tmp = reader->node->last;
xmlUnlinkNode(tmp);
xmlTextReaderFreeNode(reader, tmp);
-@@ -1741,7 +1741,7 @@ xmlTextReaderNext(xmlTextReaderPtr reade
+@@ -1741,7 +1741,7 @@ xmlTextReaderNext(xmlTextReaderPtr reader) {
return(xmlTextReaderRead(reader));
if (reader->state == XML_TEXTREADER_END || reader->state ==
XML_TEXTREADER_BACKTRACK)
return(xmlTextReaderRead(reader));
@@ -683,7 +550,7 @@
return(xmlTextReaderRead(reader));
do {
ret = xmlTextReaderRead(reader);
-@@ -3167,7 +3167,7 @@ xmlTextReaderIsEmptyElement(xmlTextReade
+@@ -3167,7 +3167,7 @@ xmlTextReaderIsEmptyElement(xmlTextReaderPtr reader) {
if (reader->in_xinclude > 0)
return(1);
#endif
@@ -692,7 +559,7 @@
}
/**
-@@ -4035,15 +4035,15 @@ xmlTextReaderPreserve(xmlTextReaderPtr r
+@@ -4035,15 +4035,15 @@ xmlTextReaderPreserve(xmlTextReaderPtr reader) {
return(NULL);
if ((cur->type != XML_DOCUMENT_NODE) && (cur->type != XML_DTD_NODE)) {
@@ -711,11 +578,11 @@
parent = parent->parent;
}
return(cur);
-Index: libxml2-2.9.14+dfsg/xmlschemas.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/xmlschemas.c
-+++ libxml2-2.9.14+dfsg/xmlschemas.c
-@@ -6024,7 +6024,7 @@ xmlSchemaPValAttrNodeID(xmlSchemaParserC
+diff --git a/xmlschemas.c b/xmlschemas.c
+index f309572..1ae078b 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -6024,7 +6024,7 @@ xmlSchemaPValAttrNodeID(xmlSchemaParserCtxtPtr ctxt,
xmlAttrPtr attr)
/*
* NOTE: the IDness might have already be declared in the DTD
*/
@@ -724,7 +591,7 @@
xmlIDPtr res;
xmlChar *strip;
-@@ -6047,7 +6047,7 @@ xmlSchemaPValAttrNodeID(xmlSchemaParserC
+@@ -6047,7 +6047,7 @@ xmlSchemaPValAttrNodeID(xmlSchemaParserCtxtPtr ctxt,
xmlAttrPtr attr)
NULL, NULL, "Duplicate value '%s' of simple "
"type 'xs:ID'", value, NULL);
} else
@@ -733,11 +600,11 @@
}
} else if (ret > 0) {
ret = XML_SCHEMAP_S4S_ATTR_INVALID_VALUE;
-Index: libxml2-2.9.14+dfsg/xmlschemastypes.c
-===================================================================
---- libxml2-2.9.14+dfsg.orig/xmlschemastypes.c
-+++ libxml2-2.9.14+dfsg/xmlschemastypes.c
-@@ -2867,7 +2867,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
+diff --git a/xmlschemastypes.c b/xmlschemastypes.c
+index af31be5..d40da49 100644
+--- a/xmlschemastypes.c
++++ b/xmlschemastypes.c
+@@ -2867,7 +2867,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const
xmlChar * value,
/*
* NOTE: the IDness might have already be declared in the DTD
*/
@@ -746,7 +613,7 @@
xmlIDPtr res;
xmlChar *strip;
-@@ -2880,7 +2880,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
+@@ -2880,7 +2880,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const
xmlChar * value,
if (res == NULL) {
ret = 2;
} else {
@@ -755,7 +622,7 @@
}
}
}
-@@ -2905,7 +2905,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
+@@ -2905,7 +2905,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const
xmlChar * value,
xmlFree(strip);
} else
xmlAddRef(NULL, node->doc, value, attr);
@@ -764,7 +631,7 @@
}
goto done;
case XML_SCHEMAS_IDREFS:
-@@ -2919,7 +2919,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
+@@ -2919,7 +2919,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const
xmlChar * value,
(node->type == XML_ATTRIBUTE_NODE)) {
xmlAttrPtr attr = (xmlAttrPtr) node;
@@ -773,7 +640,7 @@
}
goto done;
case XML_SCHEMAS_ENTITY:{
-@@ -2950,7 +2950,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
+@@ -2950,7 +2950,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const
xmlChar * value,
(node->type == XML_ATTRIBUTE_NODE)) {
xmlAttrPtr attr = (xmlAttrPtr) node;
@@ -782,7 +649,7 @@
}
goto done;
}
-@@ -2967,7 +2967,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
+@@ -2967,7 +2967,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const
xmlChar * value,
(node->type == XML_ATTRIBUTE_NODE)) {
xmlAttrPtr attr = (xmlAttrPtr) node;
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-9714.patch
libxml2-2.9.14+dfsg/debian/patches/CVE-2025-9714.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-9714.patch 1970-01-01
01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-9714.patch 2025-10-11
14:41:17.000000000 +0200
@@ -0,0 +1,113 @@
+From: Nick Wellnhofer <[email protected]>
+Date: Thu, 28 Jul 2022 20:21:24 +0200
+Subject: Make XPath depth check work with recursive invocations
+
+EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval
+recursively. Don't set depth to zero but keep and restore the original
+value to avoid stack overflows when abusing these functions.
+
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2392605
+Bug: https://gitlab.gnome.org/GNOME/libxslt/-/issues/148
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-9714
+---
+ xpath.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index c2d8458..028471d 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13883,12 +13883,11 @@ static int
+ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+ {
+ xmlXPathCompExprPtr comp;
++ int oldDepth;
+
+ if ((ctxt == NULL) || (ctxt->comp == NULL))
+ return(-1);
+
+- ctxt->context->depth = 0;
+-
+ if (ctxt->valueTab == NULL) {
+ /* Allocate the value stack */
+ ctxt->valueTab = (xmlXPathObjectPtr *)
+@@ -13942,11 +13941,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int
toBool)
+ "xmlXPathRunEval: last is less than zero\n");
+ return(-1);
+ }
++ oldDepth = ctxt->context->depth;
+ if (toBool)
+ return(xmlXPathCompOpEvalToBoolean(ctxt,
+ &comp->steps[comp->last], 0));
+ else
+ xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]);
++ ctxt->context->depth = oldDepth;
+
+ return(0);
+ }
+@@ -14217,6 +14218,7 @@ xmlXPathCompExprPtr
+ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+ xmlXPathParserContextPtr pctxt;
+ xmlXPathCompExprPtr comp;
++ int oldDepth = 0;
+
+ #ifdef XPATH_STREAMING
+ comp = xmlXPathTryStreamCompile(ctxt, str);
+@@ -14230,8 +14232,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const
xmlChar *str) {
+ if (pctxt == NULL)
+ return NULL;
+ if (ctxt != NULL)
+- ctxt->depth = 0;
++ oldDepth = ctxt->depth;
+ xmlXPathCompileExpr(pctxt, 1);
++ if (ctxt != NULL)
++ ctxt->depth = oldDepth;
+
+ if( pctxt->error != XPATH_EXPRESSION_OK )
+ {
+@@ -14252,8 +14256,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const
xmlChar *str) {
+ comp = pctxt->comp;
+ if ((comp->nbStep > 1) && (comp->last >= 0)) {
+ if (ctxt != NULL)
+- ctxt->depth = 0;
++ oldDepth = ctxt->depth;
+ xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]);
++ if (ctxt != NULL)
++ ctxt->depth = oldDepth;
+ }
+ pctxt->comp = NULL;
+ }
+@@ -14409,6 +14415,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ #ifdef XPATH_STREAMING
+ xmlXPathCompExprPtr comp;
+ #endif
++ int oldDepth = 0;
+
+ if (ctxt == NULL) return;
+
+@@ -14422,8 +14429,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ #endif
+ {
+ if (ctxt->context != NULL)
+- ctxt->context->depth = 0;
++ oldDepth = ctxt->context->depth;
+ xmlXPathCompileExpr(ctxt, 1);
++ if (ctxt->context != NULL)
++ ctxt->context->depth = oldDepth;
+ CHECK_ERROR;
+
+ /* Check for trailing characters. */
+@@ -14432,9 +14441,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+
+ if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) {
+ if (ctxt->context != NULL)
+- ctxt->context->depth = 0;
++ oldDepth = ctxt->context->depth;
+ xmlXPathOptimizeExpression(ctxt,
+ &ctxt->comp->steps[ctxt->comp->last]);
++ if (ctxt->context != NULL)
++ ctxt->context->depth = oldDepth;
+ }
+ }
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/series
libxml2-2.9.14+dfsg/debian/patches/series
--- libxml2-2.9.14+dfsg/debian/patches/series 2025-08-25 13:25:27.000000000
+0200
+++ libxml2-2.9.14+dfsg/debian/patches/series 2025-10-11 14:41:17.000000000
+0200
@@ -24,3 +24,4 @@
CVE-2025-6170.patch
CVE-2025-49794_CVE-2025-49796.patch
CVE-2025-7425.patch
+CVE-2025-9714.patch
signature.asc
Description: PGP signature
--- End Message ---
