From 56e5f738b38c68ee30e9dc175a8bee3905d36ae1 Mon Sep 17 00:00:00 2001 From: David King Date: Tue, 5 Aug 2025 17:55:22 +0100 Subject: [PATCH] Fix CVE-2025-32414 (RHEL-99873) Resolves: RHEL-99873 --- libxml2-2.9.13-CVE-2025-32414.patch | 60 +++++++++++++++++++++++++++++ libxml2.spec | 3 ++ 2 files changed, 63 insertions(+) create mode 100644 libxml2-2.9.13-CVE-2025-32414.patch diff --git a/libxml2-2.9.13-CVE-2025-32414.patch b/libxml2-2.9.13-CVE-2025-32414.patch new file mode 100644 index 0000000..c163feb --- /dev/null +++ b/libxml2-2.9.13-CVE-2025-32414.patch @@ -0,0 +1,60 @@ +diff --git a/python/libxml.c b/python/libxml.c +index 5dea5026..478af305 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -237,7 +237,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileReadRaw: result is NULL\n"); + return(-1); +@@ -272,10 +274,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileReadRaw: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +@@ -299,7 +303,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileRead: result is NULL\n"); + return(-1); +@@ -334,10 +340,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileRead: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } diff --git a/libxml2.spec b/libxml2.spec index a4f725c..672ef0b 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -39,6 +39,8 @@ Patch14: libxml2-2.9.13-CVE-2025-49794.patch Patch15: libxml2-2.9.13-CVE-2025-7425.patch # https://issues.redhat.com/browse/RHEL-100182 Patch16: libxml2-2.12.5-CVE-2025-32415.patch +# https://issues.redhat.com/browse/RHEL-99873 +Patch17: libxml2-2.9.13-CVE-2025-32414.patch BuildRequires: cmake-rpm-macros BuildRequires: gcc @@ -169,6 +171,7 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %changelog * Tue Aug 05 2025 David King - 2.9.13-12 - Fix CVE-2025-32415 (RHEL-100182) +- Fix CVE-2025-32414 (RHEL-99873) * Mon Jul 21 2025 David King - 2.9.13-11 - Fix CVE-2025-7425 (RHEL-102806)