libxml2-2.9.1-6.6.0.5.el7.AXS7

エラータID: AXSA:2025-10894:16

Release date: 
Thursday, September 25, 2025 - 15:53
Subject: 
libxml2-2.9.1-6.6.0.5.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DtDs, either
at parse time or later once the document has been modified. The output
can be a simple SAX stream or and in-memory DOM like representations.
In this case one can use the built-in XPath and XPointer implementation
to select sub nodes or ranges. A flexible Input/Output mechanism is
available, with existing HTTP and FTP modules and combined to an
URI library.

Security Fix(es):

* CVE-2025-7425: fix heap-use-after-free in xmlFreeID caused by 'atype'
corruption
* CVE-2025-6021: fix integer overflows in buffer size calculations

CVE(s):
CVE-2025-6021
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
CVE-2025-7425
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Solution: 

Update packages.

CVEs: 
CVE-2025-6021
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
CVE-2025-7425
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.
Additional Info: 

N/A

Download: 

Asianux Server 7 for x86_64
  1. libxml2-2.9.1-6.6.0.5.el7.AXS7.i686.rpm
    MD5: f6f8d48bd1f4519d0120716823043544
    SHA-256: e96f3d1ced7399a0cec07e849bf2184ceb44b09be86c6f54666bca1dc6bfed1b
    Size: 656.17 kB
  2. libxml2-2.9.1-6.6.0.5.el7.AXS7.x86_64.rpm
    MD5: e005948738ec7fcfef59da5f3405453a
    SHA-256: e1da98811eba1095fcb8da3be4eef645a19cce303c22e8478bf0b8e787d8d4dd
    Size: 669.79 kB
  3. libxml2-devel-2.9.1-6.6.0.5.el7.AXS7.i686.rpm
    MD5: d67fa6fcfb51c91f3686ba44899b3aac
    SHA-256: d4512670461f1a4ff3434c484ace7f9c9b2d0c93af677175adfefb80a8d88f22
    Size: 1.05 MB
  4. libxml2-devel-2.9.1-6.6.0.5.el7.AXS7.x86_64.rpm
    MD5: ffa25e11ec977b658238c80f578fdd2d
    SHA-256: 4dbc46a802fb8585ab2f7cb8b0874e5dc8d73715857974adc57e5db9758a7cd0
    Size: 1.05 MB
  5. libxml2-python-2.9.1-6.6.0.5.el7.AXS7.x86_64.rpm
    MD5: 56f5f620e285c56ebed805b6c32cd234
    SHA-256: 9cfe6e58f25488ab003e1033dd04e6598efe6906fea25cb424e45993a872fd16
    Size: 248.71 kB