microsoft · azurelinux-security · Dec 27, 2025
@@ -0,0 +1,95 @@
+From 240706018d473566623f9175160a3ef0a8342d28 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Sat, 27 Dec 2025 06:27:39 +0000
+Subject: [PATCH] tree: Guard against atype corruption; remove IDs based on
+ actual ID value lookup instead of atype checks in xmlFreeProp, xmlSetTreeDoc,
+ xmlSetNsProp, and before changing atype in validation (backport)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://gitlab.gnome.org/GNOME/libxml2/-/commit/9de92ed78d8495527c5d7a4d0cc76c1f83768195.patch
+---
+ tree.c  | 33 ++++++++++++++++++++++++++-------
+ valid.c |  9 +++++++++
+ 2 files changed, 35 insertions(+), 7 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 7172c46..daf1a05 100644
+--- a/tree.c
++++ b/tree.c
+@@ -2128,8 +2128,14 @@ xmlFreeProp(xmlAttrPtr cur) {
+ 	xmlDeregisterNodeDefaultValue((xmlNodePtr)cur);
+
+     /* Check for ID removal -> leading to invalid references ! */
+-    if ((cur->doc != NULL) && (cur->atype == XML_ATTRIBUTE_ID)) {
+-	    xmlRemoveID(cur->doc, cur);
++    if (cur->doc != NULL) {
++        xmlChar *idval = xmlNodeListGetString(cur->doc, cur->children, 1);
++        if (idval != NULL) {
++            xmlAttrPtr idattr = xmlGetID(cur->doc, idval);
++            xmlFree(idval);
++            if (idattr == cur)
++                xmlRemoveID(cur->doc, cur);
++        }
+     }
+     if (cur->children != NULL) xmlFreeNodeList(cur->children);
+     DICT_FREE(cur->name)
+@@ -2877,8 +2883,14 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr doc) {
+ 	if(tree->type == XML_ELEMENT_NODE) {
+ 	    prop = tree->properties;
+ 	    while (prop != NULL) {
+-                if (prop->atype == XML_ATTRIBUTE_ID) {
+-                    xmlRemoveID(tree->doc, prop);
++                if (tree->doc != NULL) {
++                    xmlChar *idval = xmlNodeListGetString(tree->doc, prop->children, 1);
++                    if (idval != NULL) {
++                        xmlAttrPtr idattr = xmlGetID(tree->doc, idval);
++                        xmlFree(idval);
++                        if (idattr == prop)
++                            xmlRemoveID(tree->doc, prop);
++                    }
+                 }
+
+                 if (prop->doc != doc) {
+@@ -7026,9 +7038,16 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar *name,
+ 	/*
+ 	* Modify the attribute's value.
+ 	*/
+-	if (prop->atype == XML_ATTRIBUTE_ID) {
+-	    xmlRemoveID(node->doc, prop);
+-	    prop->atype = XML_ATTRIBUTE_ID;
++	if (node->doc != NULL) {
++	    xmlChar *idval = xmlNodeListGetString(node->doc, prop->children, 1);
++	    if (idval != NULL) {
++	        xmlAttrPtr idattr = xmlGetID(node->doc, idval);
++	        xmlFree(idval);
++	        if (idattr == prop) {
++	            xmlRemoveID(node->doc, prop);
++	            prop->atype = XML_ATTRIBUTE_ID;
++	        }
++	    }
+ 	}
+ 	if (prop->children != NULL)
+ 	    xmlFreeNodeList(prop->children);
+diff --git a/valid.c b/valid.c
+index 7eb2dd3..1389ade 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4492,6 +4492,15 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ 	       attr->name, elem->name, NULL);
+ 	return(0);
+     }
++    if (doc != NULL) {
++        xmlChar *idval = xmlNodeListGetString(doc, attr->children, 1);
++        if (idval != NULL) {
++            xmlAttrPtr idattr = xmlGetID(doc, idval);
++            xmlFree(idval);
++            if (idattr == attr)
++                xmlRemoveID(doc, attr);
++        }
++    }
+     attr->atype = attrDecl->atype;
+
+     val = xmlValidateAttributeValueInternal(doc, attrDecl->atype, value);
+-- 
+2.45.4
+
@@ -1,7 +1,7 @@
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.11.5
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -21,6 +21,7 @@ Patch9:         CVE-2025-6021.patch
 Patch10:        CVE-2025-6170.patch
 Patch11:        CVE-2025-49794_CVE-2025-49796.patch
 Patch12:        CVE-2025-49795.patch
+Patch13:        CVE-2025-7425.patch
 
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
@@ -92,6 +93,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
+* Sat Dec 27 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.11.5-8
+- Patch for CVE-2025-7425
+
 * Wed Oct 29 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.11.5-7
 - Patch for CVE-2025-49795
 

@@ -203,8 +203,8 @@ curl-8.11.1-4.azl3.aarch64.rpm
 curl-devel-8.11.1-4.azl3.aarch64.rpm
 curl-libs-8.11.1-4.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
-libxml2-2.11.5-7.azl3.aarch64.rpm
-libxml2-devel-2.11.5-7.azl3.aarch64.rpm
+libxml2-2.11.5-8.azl3.aarch64.rpm
+libxml2-devel-2.11.5-8.azl3.aarch64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-2.azl3.aarch64.rpm

@@ -203,8 +203,8 @@ curl-8.11.1-4.azl3.x86_64.rpm
 curl-devel-8.11.1-4.azl3.x86_64.rpm
 curl-libs-8.11.1-4.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
-libxml2-2.11.5-7.azl3.x86_64.rpm
-libxml2-devel-2.11.5-7.azl3.x86_64.rpm
+libxml2-2.11.5-8.azl3.x86_64.rpm
+libxml2-devel-2.11.5-8.azl3.x86_64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-2.azl3.x86_64.rpm

@@ -242,9 +242,9 @@ libtool-debuginfo-2.4.7-1.azl3.aarch64.rpm
 libxcrypt-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm
-libxml2-2.11.5-7.azl3.aarch64.rpm
-libxml2-debuginfo-2.11.5-7.azl3.aarch64.rpm
-libxml2-devel-2.11.5-7.azl3.aarch64.rpm
+libxml2-2.11.5-8.azl3.aarch64.rpm
+libxml2-debuginfo-2.11.5-8.azl3.aarch64.rpm
+libxml2-devel-2.11.5-8.azl3.aarch64.rpm
 libxslt-1.1.43-3.azl3.aarch64.rpm
 libxslt-debuginfo-1.1.43-3.azl3.aarch64.rpm
 libxslt-devel-1.1.43-3.azl3.aarch64.rpm
@@ -543,7 +543,7 @@ python3-gpg-1.23.2-2.azl3.aarch64.rpm
 python3-jinja2-3.1.2-3.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
 python3-libs-3.12.9-6.azl3.aarch64.rpm
-python3-libxml2-2.11.5-7.azl3.aarch64.rpm
+python3-libxml2-2.11.5-8.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm

@@ -247,9 +247,9 @@ libtasn1-debuginfo-4.19.0-2.azl3.x86_64.rpm
 libtasn1-devel-4.19.0-2.azl3.x86_64.rpm
 libtool-2.4.7-1.azl3.x86_64.rpm
 libtool-debuginfo-2.4.7-1.azl3.x86_64.rpm
-libxml2-2.11.5-7.azl3.x86_64.rpm
-libxml2-debuginfo-2.11.5-7.azl3.x86_64.rpm
-libxml2-devel-2.11.5-7.azl3.x86_64.rpm
+libxml2-2.11.5-8.azl3.x86_64.rpm
+libxml2-debuginfo-2.11.5-8.azl3.x86_64.rpm
+libxml2-devel-2.11.5-8.azl3.x86_64.rpm
 libxcrypt-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-devel-4.4.36-2.azl3.x86_64.rpm
@@ -551,7 +551,7 @@ python3-gpg-1.23.2-2.azl3.x86_64.rpm
 python3-jinja2-3.1.2-3.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
 python3-libs-3.12.9-6.azl3.x86_64.rpm
-python3-libxml2-2.11.5-7.azl3.x86_64.rpm
+python3-libxml2-2.11.5-8.azl3.x86_64.rpm
 python3-lxml-4.9.3-1.azl3.x86_64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.x86_64.rpm