CVE-2024-25062

Name	CVE-2024-25062
Description	An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	ELA-1227-1
Debian Bugs	1063234

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libxml2 (PTS)	jessie, jessie (lts)	2.9.1+dfsg1-5+deb8u17	fixed
	stretch (security)	2.9.4+dfsg1-2.2+deb9u7	vulnerable
	stretch (lts), stretch	2.9.4+dfsg1-2.2+deb9u11	vulnerable
	buster, buster (lts)	2.9.4+dfsg1-7+deb10u9	fixed
	buster (security)	2.9.4+dfsg1-7+deb10u6	vulnerable
	bullseye	2.9.10+dfsg-6.7+deb11u4	vulnerable
	bullseye (security)	2.9.10+dfsg-6.7+deb11u5	vulnerable
	bookworm	2.9.14+dfsg-1.3~deb12u1	vulnerable
	sid, trixie	2.12.7+dfsg+really2.9.14-0.2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
libxml2	source	experimental	2.12.5+dfsg-0exp1
libxml2	source	jessie	2.9.1+dfsg1-5+deb8u17	ELA-1227-1
libxml2	source	buster	2.9.4+dfsg1-7+deb10u9	ELA-1227-1
libxml2	source	(unstable)	(unfixed)		1063234

Notes

[bookworm] - libxml2 <no-dsa> (Minor issue)
[bullseye] - libxml2 <no-dsa> (Minor issue)
[buster] - libxml2 <no-dsa> (Minor issue)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7 (v2.11.7)
https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970884fcc13305cb8e23cdc5f0dd7667c2c (v2.12.5)
[stretch] - libxml2 <no-dsa> (Minor issue; follow bookworm, bullseye, and buster)