From 8215755596f77c8ac010f74f0cd078a0f98dd56e Mon Sep 17 00:00:00 2001 From: gaochao Date: Sun, 27 Apr 2025 14:11:01 +0800 Subject: [PATCH 1/2] =?UTF-8?q?libxml2=E5=AE=89=E5=85=A8=E8=A1=A5=E4=B8=81?= =?UTF-8?q?=E5=9B=9E=E5=90=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: gaochao --- Fix-CVE-2025-32414.patch | 60 ++++++++++++++++++++++++++++++++++++++++ Fix-CVE-2025-32415.patch | 38 +++++++++++++++++++++++++ install.py | 4 ++- 3 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 Fix-CVE-2025-32414.patch create mode 100644 Fix-CVE-2025-32415.patch diff --git a/Fix-CVE-2025-32414.patch b/Fix-CVE-2025-32414.patch new file mode 100644 index 0000000..0657f37 --- /dev/null +++ b/Fix-CVE-2025-32414.patch @@ -0,0 +1,60 @@ +diff --git a/python/libxml.c b/python/libxml.c +index ef63025..4ed6d04 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileReadRaw: result is NULL\n"); + return(-1); +@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileReadRaw: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len); ++ /* When io_read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileRead: result is NULL\n"); + return(-1); +@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileRead: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } diff --git a/Fix-CVE-2025-32415.patch b/Fix-CVE-2025-32415.patch new file mode 100644 index 0000000..084f112 --- /dev/null +++ b/Fix-CVE-2025-32415.patch @@ -0,0 +1,38 @@ +From 8ac33b1c821b4e67326e8e416945b31c9537c7c0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 6 Apr 2025 12:41:11 +0200 +Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in + xmlSchemaIDCFillNodeTables + +Don't use local variable which could contain a stale value. + +Fixes #890. +--- + xmlschemas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 796e0edf4..6a678ce7d 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -23336,7 +23336,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + j++; + } while (j < nbDupls); + } +- if (nbNodeTable) { ++ if (bind->nbNodes) { + j = 0; + do { + if (nbFields == 1) { +@@ -23387,7 +23387,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + + next_node_table_entry: + j++; +- } while (j < nbNodeTable); ++ } while (j < bind->nbNodes); + } + /* + * If everything is fine, then add the IDC target-node to +-- +GitLab + diff --git a/install.py b/install.py index b7ebc78..c514fee 100755 --- a/install.py +++ b/install.py @@ -234,7 +234,9 @@ def do_patch(args, target_dir): "Fix-CVE-2025-24928.patch", "Fix-CVE-2025-27113.patch", "Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch", - "Fix-CVE-2019-19956.patch" + "Fix-CVE-2019-19956.patch", + "Fix-CVE-2025-32414.patch", + "Fix-CVE-2025-32415.patch" ] for patch in patch_file: -- Gitee From 9d6518aa344057782c551ead9326c0a63311013d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=AB=98=E8=B6=85?= Date: Sun, 27 Apr 2025 07:54:00 +0000 Subject: [PATCH 2/2] update Fix-CVE-2025-32414.patch. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 高超 --- Fix-CVE-2025-32414.patch | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/Fix-CVE-2025-32414.patch b/Fix-CVE-2025-32414.patch index 0657f37..1977bd9 100644 --- a/Fix-CVE-2025-32414.patch +++ b/Fix-CVE-2025-32414.patch @@ -1,5 +1,5 @@ diff --git a/python/libxml.c b/python/libxml.c -index ef63025..4ed6d04 100644 +index ef63025..2c1e95e 100644 --- a/python/libxml.c +++ b/python/libxml.c @@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { @@ -22,9 +22,9 @@ index ef63025..4ed6d04 100644 - else - memcpy(buffer, data, lenread); + if (lenread < 0 || lenread > len) { -+ printf("xmlPythonFileReadRaw: invalid lenread\n"); -+ Py_DECREF(ret); -+ return(-1); ++ printf("xmlPythonFileReadRaw: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); + } + memcpy(buffer, data, lenread); Py_DECREF(ret); @@ -50,11 +50,12 @@ index ef63025..4ed6d04 100644 - else - memcpy(buffer, data, lenread); + if (lenread < 0 || lenread > len) { -+ printf("xmlPythonFileRead: invalid lenread\n"); -+ Py_DECREF(ret); -+ return(-1); ++ printf("xmlPythonFileRead: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); + } + memcpy(buffer, data, lenread); Py_DECREF(ret); return(lenread); } + -- Gitee