MIRRORS/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky.git synced 2025-07-19 21:09:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

libxml2: patch CVE-2025-32414

Browse Source 
Pick commit from 2.12 branch as 2.9 branch is unmaintained now.

(From OE-Core rev: fbd708438aba0381a6c4f3d6cfbbd743f89a4f97)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Peter Marko 2025-04-27 18:34:46 +02:00 committed by Steve Sakoman
parent 68f82bca13
commit 2d34048266
2 changed files with 75 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch Normal file
View File

@ -0,0 +1,74 @@
From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001
From: Maks Verver <maks@verver.ch>
Date: Tue, 8 Apr 2025 13:13:55 +0200
Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
CVE: CVE-2025-32414
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d7657811964eac1cb9743bb98649278ad948f0d2]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
python/libxml.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/python/libxml.c b/python/libxml.c
index 1fe8d685..2bf14078 100644
--- a/python/libxml.c
+++ b/python/libxml.c
@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
#endif
file = (PyObject *) context;
if (file == NULL) return(-1);
- ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len);
+ /* When read() returns a string, the length is in characters not bytes, so
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
+ ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
if (ret == NULL) {
printf("xmlPythonFileReadRaw: result is NULL\n");
return(-1);
@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
Py_DECREF(ret);
return(-1);
}
- if (lenread > len)
- memcpy(buffer, data, len);
- else
- memcpy(buffer, data, lenread);
+ if (lenread < 0 || lenread > len) {
+ printf("xmlPythonFileReadRaw: invalid lenread\n");
+ Py_DECREF(ret);
+ return(-1);
+ }
+ memcpy(buffer, data, lenread);
Py_DECREF(ret);
return(lenread);
}
@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
#endif
file = (PyObject *) context;
if (file == NULL) return(-1);
- ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
+ /* When io_read() returns a string, the length is in characters not bytes, so
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
+ ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
if (ret == NULL) {
printf("xmlPythonFileRead: result is NULL\n");
return(-1);
@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
Py_DECREF(ret);
return(-1);
}
- if (lenread > len)
- memcpy(buffer, data, len);
- else
- memcpy(buffer, data, lenread);
+ if (lenread < 0 || lenread > len) {
+ printf("xmlPythonFileRead: invalid lenread\n");
+ Py_DECREF(ret);
+ return(-1);
+ }
+ memcpy(buffer, data, lenread);
Py_DECREF(ret);
return(lenread);
}

1
meta/recipes-core/libxml/libxml2_2.9.14.bb
View File

@ -37,6 +37,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
file://CVE-2025-27113.patch \
file://CVE-2024-56171.patch \
file://CVE-2025-24928.patch \
file://CVE-2025-32414.patch \
"
SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"