rpms/libxml2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2025-32414 (RHEL-99861)

Browse Source 
Resolves: RHEL-99861
This commit is contained in:
David King 2025-08-05 17:55:22 +01:00
parent 0df806c015
commit ebbfee12e4
2 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
libxml2-2.12.5-CVE-2025-32414.patch Normal file
View File

@ -0,0 +1,73 @@
From 443a9c89115203e5bd88fb136e256267b90cb78e Mon Sep 17 00:00:00 2001
From: Maks Verver <maks@verver.ch>
Date: Tue, 8 Apr 2025 13:13:55 +0200
Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
---
python/libxml.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/python/libxml.c b/python/libxml.c
index 98f04b6b2..16f7c9953 100644
--- a/python/libxml.c
+++ b/python/libxml.c
@@ -237,7 +237,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
file = (PyObject *) context;
if (file == NULL) return(-1);
- ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len);
+ /* When read() returns a string, the length is in characters not bytes, so
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
+ ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
if (ret == NULL) {
printf("xmlPythonFileReadRaw: result is NULL\n");
return(-1);
@@ -272,10 +274,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
Py_DECREF(ret);
return(-1);
}
- if (lenread > len)
- memcpy(buffer, data, len);
- else
- memcpy(buffer, data, lenread);
+ if (lenread < 0 || lenread > len) {
+ printf("xmlPythonFileReadRaw: invalid lenread\n");
+ Py_DECREF(ret);
+ return(-1);
+ }
+ memcpy(buffer, data, lenread);
Py_DECREF(ret);
return(lenread);
}
@@ -299,7 +303,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
file = (PyObject *) context;
if (file == NULL) return(-1);
- ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
+ /* When io_read() returns a string, the length is in characters not bytes, so
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
+ ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
if (ret == NULL) {
printf("xmlPythonFileRead: result is NULL\n");
return(-1);
@@ -334,10 +340,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
Py_DECREF(ret);
return(-1);
}
- if (lenread > len)
- memcpy(buffer, data, len);
- else
- memcpy(buffer, data, lenread);
+ if (lenread < 0 || lenread > len) {
+ printf("xmlPythonFileRead: invalid lenread\n");
+ Py_DECREF(ret);
+ return(-1);
+ }
+ memcpy(buffer, data, lenread);
Py_DECREF(ret);
return(lenread);
}
--
GitLab

3
libxml2.spec
View File

@ -35,6 +35,8 @@ Patch7: libxml2-2.12.5-CVE-2025-49795.patch
Patch8: libxml2-2.12.5-CVE-2025-7425.patch
# https://issues.redhat.com/browse/RHEL-100174
Patch9: libxml2-2.12.5-CVE-2025-32415.patch
# https://issues.redhat.com/browse/RHEL-99861
Patch10: libxml2-2.12.5-CVE-2025-32414.patch
BuildRequires: cmake-rpm-macros
BuildRequires: gcc
@ -177,6 +179,7 @@ popd
%changelog
* Tue Aug 05 2025 David King <dking@redhat.com> - 2.12.5-9
- Fix CVE-2025-32415 (RHEL-100174)
- Fix CVE-2025-32414 (RHEL-99861)
* Mon Jul 21 2025 David King <dking@redhat.com> - 2.12.5-8
- Fix CVE-2025-7425 (RHEL-102794)