Our QA found that the reproducer in CVE-2012-2825 (magic.xsl and magic.xml) also expose another libxslt crash in older libxslt versions. https://bugzilla.novell.com/show_bug.cgi?id=849019 This bug was fixed in libxslt 1.1.25 with this commit: https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa /* 4945 4947 * This is an element which will be output as part of the 4946 4948 * template exectution, precompile AVT if found. 4947 4949 */ 4948 if ((cur->ns == NULL) && (style->defaultAlias != NULL) && 4949 (cur->type == XML_ELEMENT_NODE)) { 4950 if ((cur->ns == NULL) && (style->defaultAlias != NULL)) { 4950 4951 cur->ns = xmlSearchNsByHref(cur->doc, cur, 4951 4952 style->defaultAlias); 4952 4953 } commit 7089a62b8f133b42a2981cf1f920a8b3fe9a8caa Author: Martin <gzlist () googlemail com> Date: Wed Sep 16 19:02:16 2009 +0200 Crash compiling stylesheet with DTD * libxslt/xslt.c: when a stylesheet embbeds a DTD the compilation process could get seriously wrong Crash as a xmlDtd struct is accessed as a xmlNode, not really attacker controllable I would say, but a denial of service (crash). Ciao, Marcus