Our QA found that the reproducer in CVE-2012-2825 (magic.xsl and magic.xml)
also expose another libxslt crash in older libxslt versions.

https://bugzilla.novell.com/show_bug.cgi?id=849019

This bug was fixed in libxslt 1.1.25 with this commit:
https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa

	/*
4945 	4947 	* This is an element which will be output as part of the
4946 	4948 	* template exectution, precompile AVT if found.
4947 	4949 	*/
4948 		if ((cur->ns == NULL) && (style->defaultAlias != NULL) &&
4949 		(cur->type == XML_ELEMENT_NODE)) {
	4950 	if ((cur->ns == NULL) && (style->defaultAlias != NULL)) {
4950 	4951 	cur->ns = xmlSearchNsByHref(cur->doc, cur,
4951 	4952 	style->defaultAlias);
4952 	4953 	}


commit 7089a62b8f133b42a2981cf1f920a8b3fe9a8caa
Author: Martin <gzlist () googlemail com>
Date:   Wed Sep 16 19:02:16 2009 +0200

    Crash compiling stylesheet with DTD

    * libxslt/xslt.c: when a stylesheet embbeds a DTD the compilation
      process could get seriously wrong

Crash as a xmlDtd struct is accessed as a xmlNode, not really attacker controllable
I would say, but a denial of service (crash).

Ciao, Marcus