libxml2: patch CVE-2025-32414

Pick commit from 2.12 branch as 2.9 branch is unmaintained now. (From OE-Core rev: fbd708438aba0381a6c4f3d6cfbbd743f89a4f97) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-04-27 18:34:46 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-05-02 08:12:41 -0700
commit: 2d34048266ba9c9b50f898360a8865fc6b055f48 (patch)
tree: c0244070fc984f47a03ad670e6ec71747424bc0e
parent: 68f82bca137634f4ef7d71c91fbe7f9ed19d8464 (diff)
download: poky-2d34048266ba9c9b50f898360a8865fc6b055f48.tar.gz
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
new file mode 100644
index 0000000000..23a2316672
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
@@ -0,0 +1,74 @@
+From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001
+From: Maks Verver <maks@verver.ch>
+Date: Tue, 8 Apr 2025 13:13:55 +0200
+Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
+Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
+CVE: CVE-2025-32414
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d7657811964eac1cb9743bb98649278ad948f0d2]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ python/libxml.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+diff --git a/python/libxml.c b/python/libxml.c
+index 1fe8d685..2bf14078 100644
+--- a/python/libxml.c
+++ b/python/libxml.c
+@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+ #endif
+     file = (PyObject *) context;
+     if (file == NULL) return(-1);
+-    ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len);
+    /* When read() returns a string, the length is in characters not bytes, so
+       request at most len / 4 characters to leave space for UTF-8 encoding. */
+    ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
+     if (ret == NULL) {
+        printf("xmlPythonFileReadRaw: result is NULL\n");
+        return(-1);
+@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+        Py_DECREF(ret);
+        return(-1);
+     }
+-    if (lenread > len)
+-       memcpy(buffer, data, len);
+-    else
+-       memcpy(buffer, data, lenread);
+    if (lenread < 0 || lenread > len) {
+       printf("xmlPythonFileReadRaw: invalid lenread\n");
+       Py_DECREF(ret);
+       return(-1);
+    }
+    memcpy(buffer, data, lenread);
+     Py_DECREF(ret);
+     return(lenread);
+ }
+@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+ #endif
+     file = (PyObject *) context;
+     if (file == NULL) return(-1);
+-    ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
+    /* When io_read() returns a string, the length is in characters not bytes, so
+       request at most len / 4 characters to leave space for UTF-8 encoding. */
+    ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
+     if (ret == NULL) {
+        printf("xmlPythonFileRead: result is NULL\n");
+        return(-1);
+@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+        Py_DECREF(ret);
+        return(-1);
+     }
+-    if (lenread > len)
+-       memcpy(buffer, data, len);
+-    else
+-       memcpy(buffer, data, lenread);
+    if (lenread < 0 || lenread > len) {
+       printf("xmlPythonFileRead: invalid lenread\n");
+       Py_DECREF(ret);
+       return(-1);
+    }
+    memcpy(buffer, data, lenread);
+     Py_DECREF(ret);
+     return(lenread);
+ }
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 1cbd620b34..e281a39fd4 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -37,6 +37,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
           file://CVE-2025-27113.patch \
           file://CVE-2024-56171.patch \
           file://CVE-2025-24928.patch \
+           file://CVE-2025-32414.patch \
           "
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
author	Peter Marko <peter.marko@siemens.com>	2025-04-27 18:34:46 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-05-02 08:12:41 -0700
commit	2d34048266ba9c9b50f898360a8865fc6b055f48 (patch)
tree	c0244070fc984f47a03ad670e6ec71747424bc0e
parent	68f82bca137634f4ef7d71c91fbe7f9ed19d8464 (diff)
download	poky-2d34048266ba9c9b50f898360a8865fc6b055f48.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch new file mode 100644 index 0000000000..23a2316672 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
@@ -0,0 +1,74 @@
		1	From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001
		2	From: Maks Verver <maks@verver.ch>
		3	Date: Tue, 8 Apr 2025 13:13:55 +0200
		4	Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
		5
		6	Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
		7
		8	CVE: CVE-2025-32414
		9	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d7657811964eac1cb9743bb98649278ad948f0d2]
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	---
		12	python/libxml.c \| 28 ++++++++++++++++++----------
		13	1 file changed, 18 insertions(+), 10 deletions(-)
		14
		15	diff --git a/python/libxml.c b/python/libxml.c
		16	index 1fe8d685..2bf14078 100644
		17	--- a/python/libxml.c
		18	+++ b/python/libxml.c
		19	@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
		20	#endif
		21	file = (PyObject *) context;
		22	if (file == NULL) return(-1);
		23	- ret = PyEval_CallMethod(file, (char ) "read", (char ) "(i)", len);
		24	+ /* When read() returns a string, the length is in characters not bytes, so
		25	+ request at most len / 4 characters to leave space for UTF-8 encoding. */
		26	+ ret = PyEval_CallMethod(file, (char ) "read", (char ) "(i)", len / 4);
		27	if (ret == NULL) {
		28	printf("xmlPythonFileReadRaw: result is NULL\n");
		29	return(-1);
		30	@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
		31	Py_DECREF(ret);
		32	return(-1);
		33	}
		34	- if (lenread > len)
		35	- memcpy(buffer, data, len);
		36	- else
		37	- memcpy(buffer, data, lenread);
		38	+ if (lenread < 0 \|\| lenread > len) {
		39	+ printf("xmlPythonFileReadRaw: invalid lenread\n");
		40	+ Py_DECREF(ret);
		41	+ return(-1);
		42	+ }
		43	+ memcpy(buffer, data, lenread);
		44	Py_DECREF(ret);
		45	return(lenread);
		46	}
		47	@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
		48	#endif
		49	file = (PyObject *) context;
		50	if (file == NULL) return(-1);
		51	- ret = PyEval_CallMethod(file, (char ) "io_read", (char ) "(i)", len);
		52	+ /* When io_read() returns a string, the length is in characters not bytes, so
		53	+ request at most len / 4 characters to leave space for UTF-8 encoding. */
		54	+ ret = PyEval_CallMethod(file, (char ) "io_read", (char ) "(i)", len / 4);
		55	if (ret == NULL) {
		56	printf("xmlPythonFileRead: result is NULL\n");
		57	return(-1);
		58	@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
		59	Py_DECREF(ret);
		60	return(-1);
		61	}
		62	- if (lenread > len)
		63	- memcpy(buffer, data, len);
		64	- else
		65	- memcpy(buffer, data, lenread);
		66	+ if (lenread < 0 \|\| lenread > len) {
		67	+ printf("xmlPythonFileRead: invalid lenread\n");
		68	+ Py_DECREF(ret);
		69	+ return(-1);
		70	+ }
		71	+ memcpy(buffer, data, lenread);
		72	Py_DECREF(ret);
		73	return(lenread);
		74	}


diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 1cbd620b34..e281a39fd4 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -37,6 +37,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
37	file://CVE-2025-27113.patch \	37	file://CVE-2025-27113.patch \
38	file://CVE-2024-56171.patch \	38	file://CVE-2024-56171.patch \
39	file://CVE-2025-24928.patch \	39	file://CVE-2025-24928.patch \
		40	file://CVE-2025-32414.patch \
40	"	41	"
41		42
42	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"	43	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"