diff --git a/libxml2-2.9.13-CVE-2025-32414.patch b/libxml2-2.9.13-CVE-2025-32414.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ad218b4b35d419516eb81b1f98453ac499c32ca --- /dev/null +++ b/libxml2-2.9.13-CVE-2025-32414.patch @@ -0,0 +1,73 @@ +From c0fa8ea4b9a3fc0043e95622dcc4bf0a96199d57 Mon Sep 17 00:00:00 2001 +From: Maks Verver +Date: Mon, 9 Jun 2025 20:09:17 +0100 +Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters. + +Fixes #889 by reserving space in the buffer for UTF-8 encoding of text. +--- + python/libxml.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/python/libxml.c b/python/libxml.c +index ef630254..f31e080f 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileReadRaw: result is NULL\n"); + return(-1); +@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileReadRaw: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileRead: result is NULL\n"); + return(-1); +@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileRead: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +-- +2.49.0 + diff --git a/libxml2.spec b/libxml2.spec index 0df273589d9601e77be67a5d1e2e4c099606a705..0a99d770f710a3623551a3fecbadd696f9468913 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -9,7 +9,7 @@ Name: libxml2 Version: 2.9.7 -Release: 19%{anolis_release}%{?dist} +Release: 20%{anolis_release}%{?dist} Summary: Library providing XML and HTML support License: MIT @@ -72,6 +72,8 @@ Patch26: libxml2-2.9.13-CVE-2022-49043.patch Patch27: libxml2-2.9.13-CVE-2024-56171.patch # https://issues.redhat.com/browse/RHEL-80137 Patch28: libxml2-2.9.13-CVE-2025-24928.patch +# https://issues.redhat.com/browse/RHEL-88198 +Patch29: libxml2-2.9.13-CVE-2025-32414.patch # Add by Anolis Patch1000: 0001-modify-home-page.patch @@ -247,10 +249,13 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog -* Fri Mar 14 2025 Mahailiang - 2.9.7-19.0.1 +* Mon Jun 16 2025 Mahailiang - 2.9.7-20.0.1 - Modify home page - Replace logo in html doc with anolis.gif +* Thu Jun 05 2025 David King - 2.9.7-20 +- Fix CVE-2025-32414 (RHEL-88198) + * Tue Mar 11 2025 Michael Catanzaro - 2.9.7-19 - Fix CVE-2024-56171 (RHEL-80122) - Fix CVE-2025-24928 (RHEL-80137)