[xml/sgml-pkgs] Bug#1107938: libxml2: CVE-2025-6170
Salvatore Bonaccorso
carnil at debian.org
Tue Jun 17 19:48:48 BST 2025
Hi,
On Tue, Jun 17, 2025 at 08:45:12PM +0200, Salvatore Bonaccorso wrote:
> Source: libxml2
> Version: 2.12.7+dfsg+really2.9.14-1
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for libxml2.
>
> CVE-2025-6170[0]:
> | A flaw was found in the interactive shell of the xmllint command-
> | line tool, used for parsing XML files. When a user inputs an overly
> | long command, the program does not check the input size properly,
> | which can cause it to crash. This issue might allow attackers to run
> | harmful code in rare configurations without modern protections.
Forgot to mention that the code moved from xmllint.c to shell.c later
on, but looks to me that older versions are affected in same way
before the code move.
Regards,
Salvatore
More information about the debian-xml-sgml-pkgs
mailing list