Our QA found that the reproducer in CVE-2012-2825 (magic.xsl and magic.xml)
also expose another libxslt crash in older libxslt versions.
https://bugzilla.novell.com/show_bug.cgi?id=849019
This bug was fixed in libxslt 1.1.25 with this commit:
https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa
/*
4945 4947 * This is an element which will be output as part of the
4946 4948 * template exectution, precompile AVT if found.
4947 4949 */
4948 if ((cur->ns == NULL) && (style->defaultAlias != NULL) &&
4949 (cur->type == XML_ELEMENT_NODE)) {
4950 if ((cur->ns == NULL) && (style->defaultAlias != NULL)) {
4950 4951 cur->ns = xmlSearchNsByHref(cur->doc, cur,
4951 4952 style->defaultAlias);
4952 4953 }
commit 7089a62b8f133b42a2981cf1f920a8b3fe9a8caa
Author: Martin <gzlist () googlemail com>
Date: Wed Sep 16 19:02:16 2009 +0200
Crash compiling stylesheet with DTD
* libxslt/xslt.c: when a stylesheet embbeds a DTD the compilation
process could get seriously wrong
Crash as a xmlDtd struct is accessed as a xmlNode, not really attacker controllable
I would say, but a denial of service (crash).
Ciao, Marcus