From 089ccc9be7466be5df150e1a6fdb4ad2dfefe562 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 12 Jun 2025 00:33:59 +0000
Subject: [PATCH] import UBI libxml2-2.9.7-20.el8_10

---
 SOURCES/libxml2-2.9.13-CVE-2025-32414.patch | 73 +++++++++++++++++++++
 SPECS/libxml2.spec                          |  7 +-
 2 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/libxml2-2.9.13-CVE-2025-32414.patch

diff --git a/SOURCES/libxml2-2.9.13-CVE-2025-32414.patch b/SOURCES/libxml2-2.9.13-CVE-2025-32414.patch
new file mode 100644
index 0000000..6ad218b
--- /dev/null
+++ b/SOURCES/libxml2-2.9.13-CVE-2025-32414.patch
@@ -0,0 +1,73 @@
+From c0fa8ea4b9a3fc0043e95622dcc4bf0a96199d57 Mon Sep 17 00:00:00 2001
+From: Maks Verver <maks@verver.ch>
+Date: Mon, 9 Jun 2025 20:09:17 +0100
+Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
+
+Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
+---
+ python/libxml.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/python/libxml.c b/python/libxml.c
+index ef630254..f31e080f 100644
+--- a/python/libxml.c
++++ b/python/libxml.c
+@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+ #endif
+     file = (PyObject *) context;
+     if (file == NULL) return(-1);
+-    ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len);
++    /* When read() returns a string, the length is in characters not bytes, so
++       request at most len / 4 characters to leave space for UTF-8 encoding. */
++    ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
+     if (ret == NULL) {
+ 	printf("xmlPythonFileReadRaw: result is NULL\n");
+ 	return(-1);
+@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+ 	Py_DECREF(ret);
+ 	return(-1);
+     }
+-    if (lenread > len)
+-	memcpy(buffer, data, len);
+-    else
+-	memcpy(buffer, data, lenread);
++    if (lenread < 0 || lenread > len) {
++	printf("xmlPythonFileReadRaw: invalid lenread\n");
++	Py_DECREF(ret);
++	return(-1);
++    }
++    memcpy(buffer, data, lenread);
+     Py_DECREF(ret);
+     return(lenread);
+ }
+@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+ #endif
+     file = (PyObject *) context;
+     if (file == NULL) return(-1);
+-    ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
++    /* When read() returns a string, the length is in characters not bytes, so
++       request at most len / 4 characters to leave space for UTF-8 encoding. */
++    ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
+     if (ret == NULL) {
+ 	printf("xmlPythonFileRead: result is NULL\n");
+ 	return(-1);
+@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+ 	Py_DECREF(ret);
+ 	return(-1);
+     }
+-    if (lenread > len)
+-	memcpy(buffer, data, len);
+-    else
+-	memcpy(buffer, data, lenread);
++    if (lenread < 0 || lenread > len) {
++	printf("xmlPythonFileRead: invalid lenread\n");
++	Py_DECREF(ret);
++	return(-1);
++    }
++    memcpy(buffer, data, lenread);
+     Py_DECREF(ret);
+     return(lenread);
+ }
+-- 
+2.49.0
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index 9b392dd..66fece8 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -7,7 +7,7 @@
 
 Name:           libxml2
 Version:        2.9.7
-Release:        19%{?dist}
+Release:        20%{?dist}
 Summary:        Library providing XML and HTML support
 
 License:        MIT
@@ -70,6 +70,8 @@ Patch26:         libxml2-2.9.13-CVE-2022-49043.patch
 Patch27:        libxml2-2.9.13-CVE-2024-56171.patch
 # https://issues.redhat.com/browse/RHEL-80137
 Patch28:        libxml2-2.9.13-CVE-2025-24928.patch
+# https://issues.redhat.com/browse/RHEL-88198
+Patch29:         libxml2-2.9.13-CVE-2025-32414.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake-rpm-macros
@@ -241,6 +243,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 
 %changelog
+* Thu Jun 05 2025 David King <dking@redhat.com> - 2.9.7-20
+- Fix CVE-2025-32414 (RHEL-88198)
+
 * Tue Mar 11 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.9.7-19
 - Fix CVE-2024-56171 (RHEL-80122)
 - Fix CVE-2025-24928 (RHEL-80137)