On 6/16/25 15:12, Alan Coopersmith wrote:
BTW, users of libxml2 may also be using its sibling project, libxslt,
which currently has no active maintainer, but has three unfixed security issues
reported against it according to
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt

2 of the 3 have now been disclosed:

(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and 
source nodes
https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
https://project-zero.issues.chromium.org/issues/409761909

(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` 
corruption
https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
https://project-zero.issues.chromium.org/issues/410569369

Engineers from Apple & Google have proposed patches in the GNOME gitlab issues,
but neither has had a fix applied to the git repo since there is currently no
maintainer for libxslt.

--
        -Alan Coopersmith-                 alan.coopersm...@oracle.com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Reply via email to