fix CVE-2025-32414, CVE-2025-32415
This commit is contained in:
Funda Wang
parent
53eaa56cd2
commit
de6e19b0d9
73
backport-CVE-2025-32414.patch
Normal file
73
backport-CVE-2025-32414.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001
|
||||
From: Maks Verver <maks@verver.ch>
|
||||
Date: Tue, 8 Apr 2025 13:13:55 +0200
|
||||
Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
|
||||
|
||||
Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
|
||||
---
|
||||
python/libxml.c | 28 ++++++++++++++++++----------
|
||||
1 file changed, 18 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/python/libxml.c b/python/libxml.c
|
||||
index 1fe8d6850..2bf140786 100644
|
||||
--- a/python/libxml.c
|
||||
+++ b/python/libxml.c
|
||||
@@ -266,7 +266,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
|
||||
#endif
|
||||
file = (PyObject *) context;
|
||||
if (file == NULL) return(-1);
|
||||
- ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len);
|
||||
+ /* When read() returns a string, the length is in characters not bytes, so
|
||||
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
|
||||
+ ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
|
||||
if (ret == NULL) {
|
||||
printf("xmlPythonFileReadRaw: result is NULL\n");
|
||||
return(-1);
|
||||
@@ -301,10 +303,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
|
||||
Py_DECREF(ret);
|
||||
return(-1);
|
||||
}
|
||||
- if (lenread > len)
|
||||
- memcpy(buffer, data, len);
|
||||
- else
|
||||
- memcpy(buffer, data, lenread);
|
||||
+ if (lenread < 0 || lenread > len) {
|
||||
+ printf("xmlPythonFileReadRaw: invalid lenread\n");
|
||||
+ Py_DECREF(ret);
|
||||
+ return(-1);
|
||||
+ }
|
||||
+ memcpy(buffer, data, lenread);
|
||||
Py_DECREF(ret);
|
||||
return(lenread);
|
||||
}
|
||||
@@ -331,7 +335,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
|
||||
#endif
|
||||
file = (PyObject *) context;
|
||||
if (file == NULL) return(-1);
|
||||
- ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
|
||||
+ /* When io_read() returns a string, the length is in characters not bytes, so
|
||||
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
|
||||
+ ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
|
||||
if (ret == NULL) {
|
||||
printf("xmlPythonFileRead: result is NULL\n");
|
||||
return(-1);
|
||||
@@ -366,10 +372,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
|
||||
Py_DECREF(ret);
|
||||
return(-1);
|
||||
}
|
||||
- if (lenread > len)
|
||||
- memcpy(buffer, data, len);
|
||||
- else
|
||||
- memcpy(buffer, data, lenread);
|
||||
+ if (lenread < 0 || lenread > len) {
|
||||
+ printf("xmlPythonFileRead: invalid lenread\n");
|
||||
+ Py_DECREF(ret);
|
||||
+ return(-1);
|
||||
+ }
|
||||
+ memcpy(buffer, data, lenread);
|
||||
Py_DECREF(ret);
|
||||
return(lenread);
|
||||
}
|
||||
--
|
||||
GitLab
|
||||
|
||||
38
backport-CVE-2025-32415.patch
Normal file
38
backport-CVE-2025-32415.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 6 Apr 2025 12:41:11 +0200
|
||||
Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in
|
||||
xmlSchemaIDCFillNodeTables
|
||||
|
||||
Don't use local variable which could contain a stale value.
|
||||
|
||||
Fixes #890.
|
||||
---
|
||||
xmlschemas.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xmlschemas.c b/xmlschemas.c
|
||||
index e35c117ef..4bdabd129 100644
|
||||
--- a/xmlschemas.c
|
||||
+++ b/xmlschemas.c
|
||||
@@ -23324,7 +23324,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
|
||||
j++;
|
||||
} while (j < nbDupls);
|
||||
}
|
||||
- if (nbNodeTable) {
|
||||
+ if (bind->nbNodes) {
|
||||
j = 0;
|
||||
do {
|
||||
if (nbFields == 1) {
|
||||
@@ -23375,7 +23375,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
|
||||
|
||||
next_node_table_entry:
|
||||
j++;
|
||||
- } while (j < nbNodeTable);
|
||||
+ } while (j < bind->nbNodes);
|
||||
}
|
||||
/*
|
||||
* If everything is fine, then add the IDC target-node to
|
||||
--
|
||||
GitLab
|
||||
|
||||
11
libxml2.spec
11
libxml2.spec
@ -1,7 +1,7 @@
|
||||
Summary: Library providing XML and HTML support
|
||||
Name: libxml2
|
||||
Version: 2.11.5
|
||||
Release: 5
|
||||
Release: 6
|
||||
License: MIT
|
||||
Group: Development/Libraries
|
||||
Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz
|
||||
@ -16,6 +16,8 @@ Patch6: backport-CVE-2024-40896.patch
|
||||
Patch7: backport-CVE-2024-56171.patch
|
||||
Patch8: backport-CVE-2025-24928.patch
|
||||
Patch9: backport-CVE-2025-27113.patch
|
||||
Patch10: backport-CVE-2025-32414.patch
|
||||
Patch11: backport-CVE-2025-32415.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
||||
BuildRequires: python3-devel
|
||||
@ -167,6 +169,13 @@ rm -fr %{buildroot}
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Apr 14 2025 Funda Wang <fundawang@yeah.net> - 2.11.5-6
|
||||
- Type:CVE
|
||||
- CVE:CVE-2025-32414
|
||||
- CVE:CVE-2025-32415
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2025-32414, CVE-2025-32415
|
||||
|
||||
* Wed Feb 19 2025 Funda Wang <fundawang@yeah.net> - 2.11.5-5
|
||||
- Type:CVE
|
||||
- CVE:CVE-2024-56171
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user