"Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, but neither has had a fix applied to the git repo since there is currently no maintainer for libxslt."

https://www.openwall.com/lists/oss-security/2025/07/11/2

CVE-2025-7424 CVE-2025-7425

#OSS #FOSS

@buherator Did I read https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 correctly that they disclosed this even though some affected browser vendor (cough cough) is still affected? Feeling bad for them.

@freddy Umm, you mean Safari? :) Their latest security release was on 12th May, within the disclosure window but surely close to the initial disclosure...

Btw. this is the talk&slides by @ifsecure :
https://www.youtube.com/watch?v=U1kc7fcF5Ao
https://docs.google.com/presentation/d/1pAosPlKUw4uI5lfg7FVheTZAtI5mUy8iDeE4znprV34/edit

@freddy @ifsecure OK, CVE-2025-7424 is def not here:

https://support.apple.com/en-us/122719

@buherator @ifsecure I was thinking of https://gitlab.gnome.org/GNOME/libxslt/-/issues/139#note_2421963 in particular.

(I did see the presentation, I was there :))

@buherator @ifsecure The CVE ID was just assigned last week, which doesn't make it a useful search term.

@buherator @ifsecure I mean there are lots of empty phrases in the advisories, like
> Impact: Processing maliciously crafted web content may lead to memory corruption
> Description: The issue was addressed with improved memory handling.

that's like... 90% of all browser bugs?

@freddy Yeah that one caught my eye too, and based on the timeline I agree that it's likely unfixed.

(I linked the talk FTR and so that I can tag in @ifsecure in case he has some more info :))

@buherator @freddy
CVE-2025-7424 appears to be fixed in today's Apple update :)

@ifsecure @buherator thanks. Surprisingly long to leave it unpatched?

@freddy @ifsecure Here's the official announcement, FTR: https://www.mail-archive.com/security-announce@lists.apple.com/msg00842.html (APPLE-SA-07-30-2025-1 Safari 18.6)

Based on the previously linked issue it looks like the patch window was this big due to the misalignment of patch cycles, no?